Protect your Device from DDoS using BGP: NE40M2K BGP Flow Specification

Created: Feb 17, 2020 14:59:27Latest reply: Jun 14, 2020 22:54:31 345 4 1 0 0

DoS and DDoS attacks pose a grave threat to network security. An attacker can control thousands of devices to attack the same destination address, network segment, or a server. Such attacks cause network congestion and can even cause a server to fail to provide services due to excessive CPU usage.

Traditionally, there are two techniques for protecting the system against DoS or DDoS attacks: traffic classification and traffic redirection. However, the techniques have defects, as listed below.

Preventative Technique	Technique Description	Defects
Traffic classification	Traffic filtering rules and quality of service (QoS) policies are configured to reduce DoS and DDoS attacks on the network.	The technique has the following defects: Difficult to ensure real-time deployment of traffic policies. To reduce DoS and DDoS attacks, coordination among network service providers is necessary to identify attack sources. Difficult to maintain traffic policies. Network administrators need to frequently modify traffic policies based on the characteristics of attack traffic.
Traffic redirection	The next hop of the route destined for the attack target is modified based on a routing policy. The next hop of the route is set to a blackhole, and attack traffic is discarded. The next hop of the route is set to a specified device responsible for filtering traffic to ensure proper processing of service traffic.	The technique has the following defects: The traffic filtering rule is simplistic. Only destination addresses can be used as a basis for traffic filtering. Traffic filtering information and routing information are transmitted together, which complicates maintenance.

BGP Flow Specification helps correct the preceding defects:

Improves information maintainability using BGP Network Layer Reachability Information (NLRI) defined in standard protocols to transmit traffic filtering information. This ensures separate transmission of traffic filtering information and routing information.
Allows more specific traffic filtering rules using various if-match clauses.

The device configured with BGP Flow Specification sent a BGP Flow Specification route carrying a filtering rule to BGP Flow Specification peers so that the traffic that consumes a lot of network resources or aims to attack servers can be filtered or controlled on the peers.

BGP Flow Specification supports BGP public-network Flow Specification, BGP VPN Flow Specification, and BGP VPNv4 Flow Specification

BGP Flow Specification offers the following benefits:

Monitors the network in real time: Traffic is sampled periodically, and a specified action is taken immediately to block attack traffic.
Offers attack prevention defense: Traffic policies are configured manually based on common characteristics of attack traffic.
Lowers the cost: A traffic policy does not need to be created on all devices, which improves maintainability at lower cost.
Minimizes the attack scope: BGP Flow Specification routes can be transmitted between autonomous systems (ASs) so that attack traffic can be filtered out or controlled on devices nearest to attack sources.

ne40e-m2k BGP Router DDoS