Flowmon

DDoS Protection tool without BGP Peering Analysis? Why not?

It is difficult to count how many times I have been involved in discussions about the role of BGP peering analysis in DDoS protection. Usually, people think of how these technologies are connected together, so I have decided to share my point of view in various scenarios.

DDoS protection is the ability to recognise an attack pattern in network traffic and apply a corresponding countermeasure. This can be achieved either by analysing flow data or having an in-line appliance. In our experience, customers in Internet Service Provider and Datacenter segment tend to use a flow-based approach due to price efficiency and general availability of flow data in their environment. Contrary to the in-line approach it is not invasive and offers much easier deployment. All we have to do is to take flow data from routers, collect them, baseline and detect attack patterns. The next step is to take action to dispose of the attack traffic or at least to mitigate the impact. We will go through different scenarios of DDoS attack mitigation and see if and how BGP peering analysis is related. A common expectation is that BGP analysis is a necessary part of a DDoS protection system so as to be truly effective.

Attack mitigation strategies using BGP injection

For attack mitigation, we have in general two different strategies: mitigate in the cloud or mitigate on premise.
 
Cloud mitigation: In this scenario I need to inform the cloud service provider that I am under attack and I want him or her to take over and mitigate on my behalf. Usually I do it by marking a specific portion of the traffic by a pre-configured community string. My routers then propagate the new routing via BGP to a cloud service provider, who starts to advertise my selected prefixes to redirect the traffic and handle the attack. This can be combined with a specific API to communicate with a cloud scrubbing centre to provide more detail about the attack, check the attack status or stop mitigation. With respect to BGP, all that I need here is BGP injection capability.
 
On premise mitigation: The main difference from cloud is that you actually have more control on what is happening as well as more options how to redirect the traffic including iBGP (assigning the next hop for specific traffic with a granularity of a single IP), BGP Flowspec (granularity up to protocol and port level; we will talk about it further) or even policy based routing without the need of using BGP. As usual, the first step is to recognise the attack pattern and redirect the respective portion to scrubbing. Again, all that I need here is BGP injection capability. As an example of on premise mitigation, you can look at how AFR-IX telecom handles DDoS attacks.

Advanced mitigation with BGP Flowspec

And now for something completely different. Modern routers can take DDoS attack countermeasures themselves if instructed properly. This refers to BGP Flowspec capability that enables you to form very detailed rules how to handle specific traffic. As an example, consider a UDP flood towards your server farm on port 123. From flow analysis you will figure out that the main target is your server in a /24 range and the major portion of that traffic originates from two specific /8 ranges. All this combined information will give you two Flowspec rules to drop traffic from the corresponding /8 source network range, destination /24 network range, protocol UDP and port 123. Now you can drop, rate the limit, mark or redirect this traffic. With respect to BGP, what you need here is support for BGP Flowspec.
 
Ideally, your DDoS protection strategy should be to automate the process described above and propose a dynamic attack pattern signature in the form of BGP Flowspec rules to handle the attack. In reality, even leading DDoS protection solutions miss this capability. Why? It is about price efficiency. They prefer to sell high capacity mitigation appliances as opposed to BGP Flowspec which handles part of the attack traffic, eliminates volumetric attacks and leaves only application layer DDoS to be handled by the mitigation appliance. It is fair to say that complex attacks cannot be handled by BGP Flowspec. We believe in an ecosystem where each component has a specific role in a DDoS protection scenario. Detection and control of the mitigation lifecycle is a job for flow-based systems supporting various BGP injection techniques, especially Flowspec. Volumetric attacks and floods should be handled by resilient infrastructure itself while application level DDoS needs specialised protection delivered via mitigation appliances. In this case, so called mitigation tiering is preferable. This means the volumetric part of the attack is to be handled by the infrastructure itself, while the rest of the attack will go through the mitigation appliance to ensure thorough scrubbing and saving capacity on the mitigation device at the same time. Even without mitigation equipment you can handle a lot; as you can see in the example of TELE-POST, Greenland’s national telecommunication provider.

There are also open-source mitigation options. One of the examples is Linux firewall iptables. The concept is well described in this blog.

The real role of BGP peering analysis

And where is the BGP peering analysis? We explained the dynamics of various DDoS protection scenarios with no need for analysing routing tables and changes happening there. BGP peering analysis is surely an important topic for the telecommunications industry. One of the major use cases is the analysis of routing stability and detection of anomalies in routing changes. But it is a different technology, usually employing different products (e.g. Route Explorer from Packet Design, now Ciena, Intelligent Routing Platform from NOCTION or BGP and Router Monitoring from ThousandEyes) or even open source tools (e.g. BGPmon) that are not part of the DDoS protection ecosystem. DDoS protection tools need to speak BGP to the extent of reading the BGP table to simplify configuration and baselining, change routing in the network or even instruct routers via Flowspec to handle the attacks directly. BGP enables a way to automatically create and update configuration for DDoS protection by fetching information from routing tables. You can find up-to-date information there about networks that should be monitored and protected, so you can avoid complex manual configuration.