BGP FlowSpec

Thu Apr 28 06:31:57 UTC 2016

> Am 27.04.2016 um 17:58 schrieb John Kristoff <jtk at cymru.com>:
> 
> On Thu, 21 Apr 2016 09:46:13 +0200
> Martin Bacher <ti14m028 at technikum-wien.at> wrote:
> 
>> - Intra-AS BGP FlowSpec deployment: Who is running it? For which kind
>> of attacks are you using it? Are you only dropping or rate-limiting
>> certain traffic or are you also using the redirect/remark
>> capabilities? What are the limitations from your perspective? Are you
>> facing any operational issues? How are you injecting the FlowSpec
>> routes?
> 
> Unless you received a number of private responses, perhaps the lack of
> public responses is telling.
> 
> I've heard of a few networks doing this and there is some public record
> of it being used, including one instance where a bad rule was behind a
> serious outage:
> 
>  <https://support.cloudflare.com/hc/en-us/articles/200172446-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013>

Thanks for that information.  I didn’t know about that outage and this is definitely something which is very important and worth mentioning in the paper. But i would rather say that this is a general risk. A fat fingers issue can always disconnect you from the internet as well as a software bug in a homogenous environment.

> 
>> - Inter-AS: Who is running Inter-AS FlowSpec deployments? What is
>> your experience? Are there any concerns regarding Inter-AS
>> deployments? Has anyone done interop tests?
> 
> You might mine public, archived BGP data and see if there are any
> traffic filtering rules present (they are encoded in extended
> communities, which are optional, transitive).

I don’t think that I will find anything there because it is a dedicated SAFI. Only traffic filtering actions are encoded as extended communities.
> 
> We once tried to coordinate an Inter-AS flow-spec project, but it
> failed miserably due to lack of interest.  For posterity, here is the
> project page:
> 
>  <https://www.cymru.com/jtk/misc/community-fs.html>

I already came across your project but didn’t recognize that there is/was also some FlowSpec initiative.

> 
> Literally the only people who were interested in it at the time was one
> of the spec's co-authors.  :-)
That’s how it usually starts. ;)

> 
> Since then, we have tried a more modest approach using the well known
> BGP RTBH technique:
> 
>  <https://www.cymru.com/jtk/misc/utrs.html>
> 
> This has been much more successful and since we've started we've
> probably had about a dozen networks express interest in flow-spec
> rules.  Verification of rules is potentially tricky, but
> widespread interest still lags in my estimation.
Yes, RTBH is quite common and really helpful in the inter AS world. But eBGP FlowSpec is just offered by very few ISPs. I think that intra AS deployments are more common, but one wouldn’t be able to detect that unless somebody tells you that they are using it.

> 
>> - How are you detecting DDoS attacks (Netflow, in-line probes, ..?)
>> and which applications are you using for the analysis (Peakflow,
>> Open-Source tools, ..?)
> 
> Not speaking for anyone in particular, but don't forget about user
> complaints.  In some cases a network may not notice (or care) if an
> attack is below a certain threshold for their network, but above a
> stress point downstream.
That’s true. They are selling IP-Transit and more traffic means more money. Upstream providers may only care if other customers are also affected or unless you pay them for protection.

Thanks for your comments!

Cheers,
Martin

> 
> John