[c-nsp] BGP flowspec S/RTBH for large DDoS

Roland Dobbins rdobbins at arbor.net
Sun May 15 18:48:55 EDT 2016


On 16 May 2016, at 2:01, Satish Patel wrote:

> And they said BGP flowspec S/RTBH isn't useful for large number of 
> sources attackers.

Wrong.

> We are getting 20G DDoS sometime on link and it has many many sources
> does S/RTBH with flowspec mitigate them?

S/RTBH and flowspec are two different things.

S/RTBH drops traffic based upon source or destination IP address.  All 
traffic from/to the IP address in question.  You must enumerate the 
attack sources, and do some script-fu to keep up with what's being 
dropped, what shouldn't be dropped any more.  The limit of sources your 
can drop this way is basically limited by your FIB (including all the 
other entries you have, of course).

> is there any limit of flowspec?

Of course.  flowspec allows you to push ACL stanzas via BGP to your 
edges.  The number of stanzas you can push depends upon the hardware 
platform you're using.  A Cisco ASR9K w/Typhoon-based linecards can 
handle about 4K stanzas per ASIC by default, for example.  You don't 
typically block sources with flowspec; instead, you push network access 
policies.

They can be used together.  Push network policies to screen 
out-of-policy traffic at your edges, then use S/RTBH to drop attack 
sources which are in-policy.

Why don't you just enable both of these functions, and play around with 
them?  That will give you an idea of how best you can use each one.

-----------------------------------
Roland Dobbins <rdobbins at arbor.net>


More information about the cisco-nsp mailing list