BGP FlowSpec

Martin Bacher ti14m028 at
Mon May 2 13:48:37 UTC 2016

> Am 02.05.2016 um 15:03 schrieb Alexander Maassen <outsider at>:
> On Mon, May 2, 2016 2:30 pm, Danny McPherson wrote:
>> We use it effectively in a layered model where "Principle of Minimal
>> Intervention" applies, allowing attack mitigation and traffic diversion
>> in the most optimal place (e.g., at network ingress), and only scrubbing
>> or diverting traffic when necessary.
> Sorry to say, but the most optimal place for ddos mitigation is at network
> egress of origin. What comes in mind regarding that is the ability for
> target ASN telling source ASN to stop sending packets from a specific
> (let's say /29) in the case of a DDoS (with appropiate security measures
> in place off course).
> Because, let's face it, why would a target of a ddos need to nullroute
> itself?

Well, I think ingress filtering at the Internet edge (see BCP38 and BCP84) would be the best approach. But we as Internet community are clearly failing in that area. And origin ASes of amplification and reflection attacks are most probably not able to detect DNS ANY queries or NTP monlist queries at a low rate without DPI. The networks used for reflection and amplification may be able to detect an ongoing attack and they will then hopefully fix their implementations and not deploy egress filters.

So the question is how to get rid of source IP address spoofing at all? I don’t see any chance by now to push ASes, which are not filtering properly, to implement ingress filtering. What could help is to add session handling to UDP based protocols as proposed by Christian Rossow and implemented by Google in Quic. But that’s again just a workaround and may create new problems because of backwards compatibility issues. 

So filtering as precise as possible and as close as possible to the attack source is maybe the best option we have at the moment.


More information about the NANOG mailing list