CHAPTER 3
Implementing BGP Flowspec
Flowspec specifies procedures for the distribution of flow specification rules via BGP and defines procedure
to encode flow specification rules as Border Gateway Protocol Network Layer Reachability Information
(BGP NLRI) which can be used in any application. It also defines application for the purpose of packet
filtering in order to mitigate (distributed) denial of service attacks.
For more information about BGP Flowspec and complete descriptions of the BGP Flowspec commands
listed in this module, see the BGP Flowspec Commands chapter in the Cisco ASR 9000 Series Aggregation
Services Router Routing Command Reference.
Note
Feature History for Implementing BGP Flowspec
This feature was introduced.Release 5.2.0
NLRI Policy Support in BGP FlowspecRelease 5.3.2
•
BGP Flow Specification, page 203
BGP Flow Specification
The BGP flow specification (flowspec) feature allows you to rapidly deploy and propagate filtering and
policing functionality among a large number of BGP peer routers to mitigate the effects of a distributed
denial-of-service (DDoS) attack over your network.
In traditional methods for DDoS mitigation, such as RTBH (remotely triggered blackhole), a BGP route is
injected advertising the website address under attack with a special community. This special community on
the border routers sets the next hop to a special next hop to discard/null, thus preventing traffic from suspect
sources into your network. While this offers good protection, it makes the Server completely unreachable.
BGP flowspec, on the other hand, allows for a more granular approach and lets you effectively construct
instructions to match a particular flow with source, destination, L4 parameters and packet specifics such as
length, fragment and so on. Flowspec allows for a dynamic installation of an action at the border routers to
either:
Cisco ASR 9000 Series Aggregation Services Router Routing Configuration Guide, Release 5.3.x
203
To Next Page
Loading...
Need help?
General
