nanog mailing list archives

Re: BGP FlowSpec

From: John Kristoff <jtk () cymru com>
Date: Wed, 27 Apr 2016 10:58:23 -0500

On Thu, 21 Apr 2016 09:46:13 +0200
Martin Bacher <ti14m028 () technikum-wien at> wrote:

- Intra-AS BGP FlowSpec deployment: Who is running it? For which kind
of attacks are you using it? Are you only dropping or rate-limiting
certain traffic or are you also using the redirect/remark
capabilities? What are the limitations from your perspective? Are you
facing any operational issues? How are you injecting the FlowSpec
routes?


Unless you received a number of private responses, perhaps the lack of
public responses is telling.

I've heard of a few networks doing this and there is some public record
of it being used, including one instance where a bad rule was behind a
serious outage:

  <https://support.cloudflare.com/hc/en-us/articles/200172446-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013>

- Inter-AS: Who is running Inter-AS FlowSpec deployments? What is
your experience? Are there any concerns regarding Inter-AS
deployments? Has anyone done interop tests?


You might mine public, archived BGP data and see if there are any
traffic filtering rules present (they are encoded in extended
communities, which are optional, transitive).

We once tried to coordinate an Inter-AS flow-spec project, but it
failed miserably due to lack of interest.  For posterity, here is the
project page:

  <https://www.cymru.com/jtk/misc/community-fs.html>

Literally the only people who were interested in it at the time was one
of the spec's co-authors.  :-)

Since then, we have tried a more modest approach using the well known
BGP RTBH technique:

  <https://www.cymru.com/jtk/misc/utrs.html>

This has been much more successful and since we've started we've
probably had about a dozen networks express interest in flow-spec
rules.  Verification of rules is potentially tricky, but
widespread interest still lags in my estimation.

- How are you detecting DDoS attacks (Netflow, in-line probes, ..?)
and which applications are you using for the analysis (Peakflow,
Open-Source tools, ..?)


Not speaking for anyone in particular, but don't forget about user
complaints.  In some cases a network may not notice (or care) if an
attack is below a certain threshold for their network, but above a
stress point downstream.

John

Current thread:

BGP FlowSpec Martin Bacher (Apr 24)
- Re: BGP FlowSpec John Kristoff (Apr 27)
  - Re: BGP FlowSpec Hank Nussbacher (Apr 27)
    - Re: BGP FlowSpec Martin Bacher (Apr 27)
    - Re: BGP FlowSpec Tyler Haske (Apr 28)
    - Re: BGP FlowSpec Martin Bacher (Apr 29)
  - Re: BGP FlowSpec Martin Bacher (Apr 27)
- <Possible follow-ups>
- Re: BGP FlowSpec dennis (Apr 29)
  - Re: BGP FlowSpec Pierre Lamy (Apr 30)
    - Re: BGP FlowSpec Roland Dobbins (Apr 30)