CHAPTER 3
Implementing BGP Flowspec
Flowspec specifies procedures for the distribution of flow specification rules via BGP and defines procedure
to encode flow specification rules as Border Gateway Protocol Network Layer Reachability Information (BGP
NLRI) which can be used in any application. It also defines application for the purpose of packet filtering in
order to mitigate (distributed) denial of service attacks.
For more information about BGP Flowspec and complete descriptions of the BGP Flowspec commands listed
in this module, see the BGP Flowspec Commands chapter in the Routing Command Reference for Cisco NCS
6000 Series Routers.
Note
Feature History for Implementing BGP Flowspec
This feature was introduced.Release
5.2.4
• BGP Flow Specification, on page 103
BGP Flow Specification
The BGP flow specification (flowspec) feature allows you to rapidly deploy and propagate filtering and
policing functionality among a large number of BGP peer routers to mitigate the effects of a distributed
denial-of-service (DDoS) attack over your network.
In traditional methods for DDoS mitigation, such as RTBH (remotely triggered blackhole), a BGP route is
injected advertising the website address under attack with a special community. This special community on
the border routers sets the next hop to a special next hop to discard/null, thus preventing traffic from suspect
sources into your network. While this offers good protection, it makes the Server completely unreachable.
BGP flowspec, on the other hand, allows for a more granular approach and lets you effectively construct
instructions to match a particular flow with source, destination, L4 parameters and packet specifics such as
length, fragment and so on. Flowspec allows for a dynamic installation of an action at the border routers to
either:
• Drop the traffic
• Inject it in a different VRF for analysis or
Routing Configuration Guide for Cisco NCS 6000 Series Routers, IOS XR Release 6.4.x
103
To Next Page
Loading...
Need help?
General
