Limitations and Use Cases for Using BGP Flowspec to protect against DDoS Attacks

Overlap Capabilities of BGP Flowspec and DDoS Protection

BGP Flowspec enables packet-level matching at line rate on a router (subject to hardware limitations on modern routers). It may also be offered by an upstream internet provider to mitigate traffic before it reaches your network.

BGP Flowspec can match packets based on:

• Source and destination IP

• Port

• Packet type (TCP, UDP, ICMP)

• Flags (SYN, ACK, RST, etc.)

• Packet length

BGP Flowspec does not apply value judgments; an external system must determine which rules should be applied.

Actions Available within BGP

• Drop packets

• Redirect packets

• Rate-limit traffic (drop random packets exceeding a set threshold)

Limitations of Flowspec-Based Mitigation

Operational Limitations, and Hardware or Rule Scalability Constraints

Implementation of BGP FlowSpec is very vendor dependent. Even within a single vendor’s offerings, the actual capabilities may vary by model or software version, making it very challenging to build mitigation actions that can be easily deployed across your entire network. 

The amount of available resources on each line card’s ASIC can vary greatly, so the individual performance of each must be considered when deploying Flowspec rules across a network. More complex rules will also consume more resources. Users must be careful to not overload their line cards and cause a situation where they can no longer forward packets at line rate. 

There are also a number of operational limitations that must be considered when implementing GBP Flowspec rules. BGP FlowSpec may require other capabilities to be disabled, particularly when dealing with IPv6 traffic. This may not be viable if those are required and can limit if flowspec can be deployed.

There can be non-obvious inter-dependencies causing unexpected behavior that is difficult to debug. As an example, announcing one BGP rule which causes a previous different rule to become ineffective on a system.

Different vendors enforce different validation checks which can also cause unexpected behaviors such as correctly built rules being rejected. For example, the Cisco ASR9k has additional validation rules which can cause implementation difficulties. 

Depending upon the router/system there may be limited or no reporting with regards to BGP FlowSpec filtering. This not only removes visibility into the volume of traffic being filtered but can also impact operational ability. 

As an example, the number of flowspec rules supported in hardware is limited, however mitigating an attack may require a new rule to be installed which may require a previous rule to be removed, however there may be no way to determine which rule is the best one to remove. There may also be a performance impact as more rules are added. This complicates the practice of rapidly responding DDDoS attack pivots either on your own network. It can be particularly challenging when attempting to utilize communities or rules made available by your upstream ISPs.

Lack of Contextual Packet Analysis

Due to the restrictions on matching criteria, BGP Flowspec is limited in the types of attacks it can mitigate. Attacks can only be mitigated if their packets exhibit clear distinguishing characteristics within the available fields. However, attackers have full control over these fields and can modify them dynamically. This ability for attackers to pivot and modify attacks creates the need for Flowspec blocking rules to be modified in real-time. These reactive modifications must be made by skilled staff, or by an external monitoring system that automatically generates rules. Regardless, the result is a reactive solution with slower response times to attacker pivots.

Risk of Collateral Damage

Even in a best case scenario in a well managed network, with an excellent staff or tool generating rules, BGP Flowspec cannot distinguish malicious packets from legitimate ones if both share similar characteristics (e.g., legitimate vs. malicious SYN packets). Blocking such packets based purely on metadata could inadvertently cause service outages and other “collateral damage” in the form of good packets being dropped.

Because of the lack of precise control over what individual packets are dropped, Flowspec-based mitigation is best suited for cases where certain services or customers are deemed sacrificial—possibly as the lowest tier of a DDoS protection offering where mitigation is best-effort, and some impact on legitimate traffic is expected.

Usefulness of BGP Flowspec

Traffic Redirection to Scrubbing Facilities

Flowspec is highly effective at redirecting suspicious traffic to specialized mitigation platforms (off-ramp scrubbing devices or cloud-based services). This targeted redirection minimizes false positives, reducing disruption to legitimate users.

Scalability and Economical Mitigation

Redirecting only suspicious traffic through intelligent mitigation systems allows network operators to economically scale mitigation infrastructure by not protecting all network ingress points with in-line filtering.

Why Does RioRey Provide Flowspec Capabilities in Director?

Despite its limitations as a mitigation technique, Flowspec excels at applying network changes that impact only a single customer or service. It is an effective tool for redirecting mixed good and bad ("suspicious") traffic to off-ramp mitigation devices. This surgical redirection reduces false positives and enables cost-effective on-site mitigation.

Flowspec mitigation can also serve as a brute-force tool within a broader mitigation strategy. The ability to temporarily blackhole a service upstream can help protect other services during massive attack scenarios.

Specific Mitigation Methods and Advantages of RIOS vs BGP Flowspec Rule-based Filtering

Flow-Based Filtering

The algorithms in RioRey in RIOS use "intelligent filtering" where the decision to forward or drop packets is based on a packet by packet basis. This means that the same type of of packet (TCP SYN for example) where one packet is "good" and another an attack will be treated differently, with the first being forwarded, the second dropped. BGP FlowSpec does not have any such capability. While Flowspec can match the SYN flag, blocking those packets alone would still result in service disruption. More precise per-packet decision-making is necessary.

RIOS can track up to 1,000,000 simultaneous source-destination pairs for flow-based mitigation. In contrast, many routers support only thousands of Flowspec rules. When using Flowspec from an upstream provider, observed limits are often in the tens of rules. While Flowspec can block traffic based on source prefixes, the globally distributed nature of botnets limits its effectiveness in aggregating attackers without affecting legitimate users.

Payload-Based Mitigation

RIOS can analyze packet payloads using various algorithms. Some packet sample monitors also inspect payload data, but current-generation Flowspec matchers are restricted to packet metadata analysis.

Detailed Reporting

RIOS provides detailed reporting on dropped packets, the reasons for their rejection, and full visibility into the mitigation process. In contrast, once a Flowspec rule is applied—particularly at an upstream provider—visibility is significantly reduced, making it more difficult to assess effectiveness and respond to customer inquiries.

Conclusion

While BGP Flowspec provides useful capabilities for redirecting and mitigating some forms of DDoS attacks, its limitations make it unsuitable as a standalone solution for comprehensive DDoS protection. BGP Flowspec should be viewed as a supplementary tool within a broader, more intelligent DDoS mitigation strategy. Intelligent, software-driven mitigation platforms like RIOS offer greater flexibility, accuracy, and adaptability in combating evolving DDoS threats.