DoS and DDoS attacks pose a grave threat to network security. An attacker can control thousands of devices to attack the same destination address, network segment, or a server. Such attacks cause network congestion and can even cause a server to fail to provide services due to excessive CPU usage.
Traditionally, there are two techniques for protecting the system against DoS or DDoS attacks: traffic classification and traffic redirection. However, the techniques have defects, as listed below.
Preventative Technique | Technique Description | Defects |
|---|---|---|
Traffic classification | Traffic filtering rules and quality of service (QoS) policies are configured to reduce DoS and DDoS attacks on the network. | The technique has the following defects:
|
Traffic redirection | The next hop of the route destined for the attack target is modified based on a routing policy.
| The technique has the following defects:
|
Improves information maintainability using BGP Network Layer Reachability Information (NLRI) defined in standard protocols to transmit traffic filtering information. This ensures separate transmission of traffic filtering information and routing information.
Allows more specific traffic filtering rules using various if-match clauses.
The device configured with BGP Flow Specification sent a BGP Flow Specification route carrying a filtering rule to BGP Flow Specification peers so that the traffic that consumes a lot of network resources or aims to attack servers can be filtered or controlled on the peers.
BGP Flow Specification supports BGP public-network Flow Specification, BGP VPN Flow Specification, and BGP VPNv4 Flow Specification
BGP Flow Specification offers the following benefits:
Monitors the network in real time: Traffic is sampled periodically, and a specified action is taken immediately to block attack traffic.
Offers attack prevention defense: Traffic policies are configured manually based on common characteristics of attack traffic.
Lowers the cost: A traffic policy does not need to be created on all devices, which improves maintainability at lower cost.
Minimizes the attack scope: BGP Flow Specification routes can be transmitted between autonomous systems (ASs) so that attack traffic can be filtered out or controlled on devices nearest to attack sources.
