DDoS attacks are increasing in frequency and complexity, leading organizations to seek better protection methods. BGP Flowspec, an extension of BGP, allows network operators to dynamically filter traffic at the network edge by propagating traffic filtering rules within BGP update messages. However, operators need to test thoroughly and follow best practices before deploying BGP Flowspec to avoid some common mistakes. This blog will highlight some of these best practices.
Distributed Denial of Service (DDoS) attacks remain a persistent and evolving menace to organizations of all sizes. These attacks can disrupt business operations, leading to substantial financial losses, reputational damage, and service downtime. For network operators, mitigating these attacks can be a complex and time-consuming process.
One potential solution lies in BGP Flowspec, a protocol that allows network operators to dynamically filter traffic at the network edge. BGP Flowspec, an extension of the Border Gateway Protocol (BGP), enables the propagation of traffic filtering rules within BGP update messages. This allows for fine-grained control over traffic flows, providing network operators with the ability to rapidly and precisely block malicious traffic associated with DDoS attacks.
Those who have followed me for a while may be aware I am a big proponent of BGP Flowspec. I’ve published a short book, Day One: Deploying BGP Flowspec, detailing how to configure it on Juniper devices. At a few recent industry events, I delivered a talk entitled “BGP Flowspec Doesn't Suck. We're Just Using it Wrong.” I truly believe that BGP Flowspec can be a big help to operators in blocking these attacks. Like most things in IT, BGP Flowspec does not come without drawbacks and must be implemented properly. In this blog, I’ll give a refresher on BGP Flowspec and why I believe more operators should test and adopt the technology.
DDoS Trends
Current industry reports from leading cybersecurity firms such as Akamai and Cloudflare show that DDoS attacks are increasing in frequency and complexity. This means the need to protect the network continues to increase with each passing year. Installing DDoS mitigation appliances inline on all your network paths is a very expensive way to scale your protection. As a result, more organizations are turning to cloud-based mitigation services and moving away from traditional appliance-based solutions.
Working for a network observability company that analyzes the global BGP table has its perks; we can actually see when an organization activates a cloud-based scrubbing service by looking at the changes in the BGP table. For example, in this visualization, you can see how Intrado Life & Safety (ASN 36329), which uses AT&T (ASN 7018) as its upstream provider, swings its traffic over to Neustar (ASN 19905) to mitigate an attack.
The area shaded is green is the normal routing of traffic through AT&T during peace time. The area that is shaded in purple represents the route being advertised upstream to Neustar during the attack to do the cloud based mitigation.
BGP Flowspec: A Quick Refresher
Let’s start with a quick refresher on how BGP Flowspec works. BGP Flowspec adds a new NLRI (Network Layer Reachability Information) that allows the operator to specify very detailed parameters for the type of attack they wish to mitigate. Here is a list of the possible parameters that can be specified:
Type 1 - Destination prefix
Type 2 - Source prefix
Type 3 - IP protocol
Type 4 - Port
Type 5 - Destination port
Type 6 - Source port
Type 7 - ICMP type
Type 8 - ICMP code
Type 9 - TCP flags
Type 10 - Packet length
Type 11 - DSCP (Diffserv Code Point)
Type 12 - Fragment
As you can see, the details of what you can match on are very similar to what is available in an interface filter, what some vendors call an access list.
Once you have signaled what traffic you want to match on, you must tell the router what to do with that traffic. This is done by attaching extended communities to the announced BGP NLRI. Here is a table of those options:
|
Type |
Extended Community |
Encoding |
|
0x8006 |
traffic-rate |
2-byte as#, 4-byte float |
|
0x8007 |
traffic-action |
bitmask |
|
0x8008 |
redirect |
6-byte Route Target |
|
0x8009 |
traffic-marking |
DSCP value |
For more details, check out the IETF’s RFC 8955.
Adoption rates
BGP Flowspec has great potential for mitigating DDoS attacks, but its adoption rate across organizations is varied. It’s 2025, so of course, we are going to use AI and ask ChatGPT what it knows about BGP Flowspec adoption rates:
All kidding aside, it is difficult to obtain accurate data on adoption rates because most organizations implement it without publicity. It is evident that interest in and adoption of BGP Flowspec is increasing. This is based on anecdotal evidence from conversations with numerous customers who are either using it or testing it before deployment. Despite this growth, adoption rates remain lower than anticipated when the IETF ratified the foundational RFC years ago.
Best Practices for Safe Adoption
BGP Flowspec, like any powerful technology, can have negative consequences if not deployed correctly. Many network engineers have a negative impression of BGP Flowspec due to several well-known outages caused by its misuse, including the 2020 CenturyLink outage and the 2013 Cloudflare outage.
The potential risks associated with BGP Flowspec should not deter organizations from leveraging its capabilities. Safe adoption can be achieved through careful and deliberate implementation, coupled with adherence to best practices. These best practices include thorough testing, continuous monitoring, and policy adjustments.
Forwarding performance should be tested with different BGP Flowspec rules deployed cautiously, as most line card ASICs have limited resources for this filter. As the number of prefixes increases, these resources become depleted, impacting the ASICs' ability to forward packets at line rate. Additionally, more complex matching criteria in the NLRI consume more ASIC resources.
The filtering resulting from BGP Flowspec rule processing occurs as a forwarding table filter, applying to all device interfaces. Some vendors allow configurations to exclude specific interfaces, which may be useful to prevent loss of device access when the filter is applied, for example on a management interface.
Strict control over the types of BGP Flowspec rules advertised to routers is crucial. The Cloudflare outage mentioned earlier stemmed from advertising a rule that blocked packets with sizes from 99,971 to 99,985 bytes long. This caused their Juniper line cards to malfunction and drop all traffic. The astute reader will quickly realize a packet that size is not possible even with jumbo frames configured. While the router's reaction was not ideal, in hindsight Cloudflare should have implemented sanity checks in their automation platform to ensure reasonable packet sizes. That is the lesson we are network professionals can take away from this outage.
Staying Current
BGP Flowspec is a powerful tool in the fight against DDoS attacks, and staying up-to-date on the latest developments from the IETF and Inter-Domain Routing Group (IDR) is essential for any organization looking to implement effective DDoS mitigation strategies. You can follow their mailing list here. As the threat landscape continues to evolve, BGP Flowspec offers a beacon of hope for those seeking robust defense mechanisms.
By understanding BGP Flowspec's capabilities, adopting industry best practices, and remaining informed on the latest advancements, we can work together to build a stronger, more resilient internet. If you are considering deploying it and have questions, feel free to reach out to me, and I will be happy to answer any questions I can.
