With the robust development of the Internet, more and more companies have put their services online. While the Internet conveniences people’s lives, how to secure it becomes an increasingly severe challenge. Distributed denial-of-service (DDoS) is one of the most common types of cyberattacks. It paralyzes the target network, disrupts services, and causes direct financial damages by exhausting the egress bandwidth and degrading server performance. NSFOCUS’s anti-DDoS solution has been widely adopted by telecom carriers, financial companies, Internet service providers (ISPs), and small and medium-sized businesses (SMBs), which, in turn, makes it possible for the company to gain an insight in customer requirements, thoroughly understand various business scenarios, and keep innovating. In August 2017, NSFOCUS introduced an innovative concept of integrating BGP FlowSpec into ADS, injecting new life into DDoS protection.
Background of BGP FlowSpec
Modern routers have the capability to not only forward traffic but also classify, rate-limit, filter, and redirect packets. The latter capabilities are of great significance to DDoS mitigation. RFC 5575 defines a general procedure to encode flow specifications (FlowSpec) rules, adding more attributes to BGP routes and enabling routers to rate-limit, filter, and redirect packets.
By expanding routing information with FlowSpec, the routing system can take advantage of the access control list (ACL) or firewall capabilities in the router’s forwarding path, making it possible to quickly filter out DDoS attack packets. FlowSpec can be seen as more specific routing entries to a unicast prefix and is expected to depend upon the existing unicast data information.
FlowSpec defines 12 attributes, including the quintuple for BGP routes (source/destination IP address, source/destination port, and protocol), meeting requirements of various scenarios for flow control and handling and providing a flexible and efficient method for DDoS mitigation.
FlowSpec defines a flow based on the following components:
- Destination prefix: destination address/prefix of a packet
- Destination port number: destination port of a TCP/UDP packet
- DSCP number: quality of service (QoS) type of a packet
- Fragment type: flag bit of a fragment
- ICMP code number: code type of an ICMP packet
- ICMP type number: type of an ICMP packet
- Packet length number: total length of an IP packet
- Port number: number of a source or destination TCP/UDP port
- Protocol number: number of a protocol
- Source prefix: source address/prefix of a packet
- Source port number: source port of a TCP/UDP packet
- TCP flag type: flag bit of a TCP packet
Defects of Traditional Anti-DDoS Solutions
Traditional anti-DDoS solutions are divided into two types: One is to deploy a dedicated anti-DDoS product to filter and clean attack traffic, and the other is to use a firewall or routing device to suppress the rate of massive traffic. The following table compares the two types of solutions.
|Dedicated anti-DDoS device
|The protection device is deployed at the network perimeter. Service traffic is diverted to this device for cleaning before being injected back to the network.
|Designed specially for DDoS mitigation, this solution is capable enough to combat various DDoS attacks. While filtering out attack traffic, it ensures business continuity.
|If deployed on massive-traffic nodes, the device can be very expensive in terms of capacity expansion.
|Route-based traffic suppression
|This solution drops or rate-limits attack traffic via null routes or ACLs.
|It saves the cost for purchasing protection devices.
|Null routing can significantly affect normal services. Besides, ACLs are difficult to maintain.
From the comparison, obviously, each solution has its own disadvantages. Our goal is to minimize such disadvantages and their impact. Given that the cleaning capacity of all protection devices is limited, our first consideration is to make full use of the product capacity and reduce the capacity expansion cost to the maximum extent possible. Then, implementing traffic suppression via null routes is like sacrificing the knights to save the king, which has a significant impact on normal services. Therefore, we consider separating attack traffic from service traffic, in a bid to suppress the former while allowing the latter to pass.
What BGP FlowSpec Can Do Today
According to the DDoS attack trend reports released by NSFOCUS in the last two years, both the frequency and peak bandwidth of DDoS attacks have increased rapidly. To assure service security, we can leave nothing to chance. The DDoS protection system can never be built overnight. While making unremitting efforts to optimize product functions and innovate in algorithms, NSFOCUS keeps improving its protection solutions and presenting novel protection ideas and suggestions thanks to its R&D team that always think out of the box.
For DDoS protection, no matter what innovative solution and technique are adopted, on-premises anti-DDoS devices are must-haves.
(1) local protection is in customers’ best interest in the long run considering frequent low-volume attacks;
(2) cloud protection is less controllable and related policies are hardly customizable, thus delivering a poor security experience;
(3) policies should be able to be adapted to different botnet attacks and local protection is more efficient.
With this taken into consideration, NSFOCUS’s anti-DDoS solution incorporates BGP FlowSpec into protection devices and routing devices. Without extra hardware and service costs, it uses the analysis data collected from the detection device to create BGP FlowSpec policies, making full use of device resources and cutting down the huge amounts of money that would otherwise be required for capacity expansion.
In terms of traffic suppression, BGP FlowSpec supports 12 attributes, including the quintuple. Policies are finer-grained to significantly reduce extensive false positives caused by null routing. For example, a policy can be configured to drop only TCP traffic destined for 10.10.10.1 from port 5534. This, to the greatest extent, reduces the impact on legitimate traffic during cleaning, thereby ensuring service continuity. In terms of traffic diversion, traditional diversion techniques divert traffic only based on destination IP addresses. Specifically, all traffic destined for an IP address will be diverted to the protection device for cleaning and then injected back into the network. By implementing BGP FlowSpec, a security device can divert only protocol-specific traffic destined for an IP address. For example, if a policy is configured to divert only TCP traffic destined for 192.168.12.1, UDP traffic destined for 192.168.12.1 will be forwarded along the original route. This, to some extent, reduces the consumption of the device’s resources so that it can serve more protection objects at the maximum speed allowed.
In addition, implementation of BGP FlowSpec allows for more flexible control of routes, traffic, and ACLs, cuts down policy maintenance costs, and improves the O&M efficiency.
What BGP FlowSpec Can Do Tomorrow
As mentioned above, when the rate of DDoS attack traffic exceeds the egress bandwidth, normal protection will fail. In this context, enterprises and IDCs need to collaborate with higher-level carriers to remotely suppress the rate of massive traffic before filtering out attack traffic. Currently, traffic suppression solutions provided by carriers are largely empirical because they are developed mainly based on carriers’ experience. Not surprisingly, such solutions are not flexible enough to meet custom policy configuration and maintenance requirements. Predictably, when carriers are able to provide flexible policies for enterprises and IDCs, allowing child node users to update their routing policies within the destination IP range via BGP FlowSpec, the egress bandwidth congestion problem will be effectively resolved. As a result, DDoS attacks will be responded to and mitigated more promptly. With custom routing policies that fit in well with business requirements, customers will be better protected from DDoS attacks.
Combining BGP FlowSpec with anti-DDoS devices is a brand new tactic in which carriers at home and abroad are showing great interest. Boasting a wide range of attributes and security features, BGP FlowSpec will be a boon to carriers, IDCs, and enterprises. Implementing it does not require a huge amount of investment, but can bring substantial benefits to networks and security. Unfortunately, only a limited number of routers from Juniper and Cisco support the BGP FlowSpec function currently, leaving the wide adoption of anti-DDoS solutions incorporating BGP FlowSpec hanging in the air.