^ Top

NANOG Meeting Presentation Abstract

Traffic Diversion Techniques for DDoS Mitigation using BGP Flowspec
Meeting: NANOG58
Date / Time: 2013-06-05 12:00pm - 12:30pm
This item is webcast
Room: Crescent City Ballroom
Presenters: Speakers:

Leonardo Serodio, Alcatel-Lucent

Leonardo Serodio is a network security specialist at the IP Consulting Engineering group in Alcatel-Lucent, where he is responsible for designing networking solutions with the Alcatel-Lucent IP portfolio, including the DDoS mitigation appliance embedded into the ALU router product line. Leonardo has extensive experience in the ISP and Telecom industry, having worked for over 15 years with large Carriers in the Americas, Asia and Europe. Prior to joining ALU, Leonardo worked at Arbor Networks where he was responsible for conducting performance, solution and functionality lab research with Arbor’s Peakflow product line.
Abstract: The BGP Flow Specification described in RFC 5575 defines a new BGP Network Layer Reachability Information (NLRI) format that can be used to distribute traffic flow specification rules. The flowspec matching criteria applied to IP traffic include source and destination prefix, IP protocol, source and destination port numbers, TCP flags, and other packet fields. RFC 5575 itself describes an application of flowspec to automate the distribution of traffic filtering rules from a single point of control for the mitigation of DDoS attacks. This flowspec application has been implemented in routers and mitigation appliances, and is a valuable tool used today in the protection of network resources against DDoS attacks.
Nevertheless, with the rise of more sophisticated application layer DDoS attacks, a significant portion of DDoS attacks cannot be effectively mitigated only by the application of L3/L4 traffic filtering rules, and require a more sophisticated DPI-capable DDoS mitigation appliance that can detect and filter attacks at the application layer. These application-layer DDoS mitigation appliances capable of performing “surgical mitigations” are usually shared resources that require the diversion of attack traffic to designated locations where this traffic can be scrubbed and reinjected in the network later. This traffic diversion is performed using BGP prefixes (IPv4/IPv6 NLRI), and it usually requires careful planning of the route announcements in the routing domain, followed by a planned reinjection of this traffic back to its intended destination, in order to avoid loops and/or drops of legitimate traffic.
This article describes a solution for the “surgical diversion” of traffic to the mitigation appliance using BGP flowspec. Traffic diversion using BGP flowspec intends to provide a traffic redirection solution that is simpler to design, less intrusive to the routing domain, and more granular in its control, ultimately providing a better optimization of the shared mitigation capacity available.
Files: pdfTraffic Diversion Techniques for DDoS Mitigation using BGP Flowspec(PDF)
Sponsors: None.

Back to NANOG58 agenda.

NANOG58 Abstracts

  • BGP 101
    Speakers:
    Dawit Birhanu, Cisco Systems;
  • BGP 102
    Speakers:
    Dawit Birhanu, Cisco Systems;
  • Security Track
    Speakers:
    Merike Kaeo, IID; Krassimir Tzvetanov, Cisco Systems;
  • Security Track
    Speakers:
    Merike Kaeo, IID; Krassimir Tzvetanov, Cisco Systems;

 

^ Back to Top