Welcome to the Packet Pushers Priority Queue. On today’s show we’re going to talk about BGP flowspec, an RFC that can be used for DoS mitigation.
But before we dive in, let’s level set on BGP, the border gateway protocol. BGP is the routing protocol that glues the Internet together. Big, huge companies and service providers use complex BGP policies to govern traffic flowing across their networks. BGP lets you perform some clever routing tricks that you can’t really do with an interior gateway routing protocol like OSPF or EIGRP.
And all of that is, more or less, true. To quote RFC 4271, “The primary function of a BGP speaking system is to exchange network reachability information with other BGP systems. This network reachability information includes information on the list of Autonomous Systems (ASes) that reachability information traverses. This information is sufficient for constructing a graph of AS connectivity for this reachability, from which routing loops may be pruned and, at the AS level, some policy decisions may be enforced.”
Okay. So RFC 4271 tells us that BGP is, primarily for telling BGP speakers what networks are reachable via what autonomous systems. And if you dig a little deeper, you find that information is learned via the exchange of NLRIs – network layer reachability information messages.
Now, here’s the big deal with BGP. An NLRI could contain any sort of information. An NLRI doesn’t have to contain an IP prefix with reachability information. You know, a route. For instance, RFC 4684 defines NLRIs that contain route-target information. RFC 4760 talks about NLRIs for multi-protocol BGP. RFC 7432 defines NLRIs for EVPN.
Once you realize this, BGP becomes more than just a routing protocol. BGP can be used to share all sorts of information between BGP speakers to influence their forwarding decisions.
The topic of our conversation today is RFC 5575, BGP flowspec. BGP flowspec defines a specific BGP NLRI defining a flow. What do BGP speakers do with this flow information?
Our guest today is Justin Ryburn, who’s going to talk us through BGP flowspec and how it can be used to mitigate DoS and DDoS attacks.
Justin is a Consulting Engineer with Juniper Networks. He’s been with Juniper for about 9 years in both pre-sales and post-sales Engineering roles, and has about 20 years experience in networking with a primary focus on service providers and carriers.
Section 1 – Setting Up The problem: DoS Attacks
* Briefly, what’s a DoS attack?
* High Level – Denial of Service attack is any attack that denies (blocks) the legitimate use of a resource.
* There is also a term DDoS. The extra D stands for distributed and it refers to the type of attack with a widely distributed source.
* What are the chief ways DoS attacks are defended against (and their issues)?
* Manual call – help me, I’m being attacked!
* D/RTBH – victim announces RTBH
* S/RTBH – victim calls for help, NOC initiates RTBH + uRPF
* The big deal? Every flow dies in the blackhole in destination-based filtering. A lack of granularity that kills useful traffic along with the DoS traffic. Even source-based with uRPF is not a perfect answer, although it’s better that destination-based.
* It is better in the sense that it does not “complete the attack” like you mentioned with destination-based filtering. However, it is impractical for a truly distributed attack as the source can be hundreds or thousands of hosts.
Section 2 – Introducing BGP Flowspec For DoS Mitigation
* What is BGP flowspec?