Re: BGP FlowSpec

[Hank Nussbacher <hank () efes iucc ac il>]

On 27/04/2016 18:58, John Kristoff wrote:
> On Thu, 21 Apr 2016 09:46:13 +0200
> Martin Bacher <ti14m028 () technikum-wien at> wrote:
>
> > - Intra-AS BGP FlowSpec deployment: Who is running it? For which kind
> > of attacks are you using it? Are you only dropping or rate-limiting
> > certain traffic or are you also using the redirect/remark
> > capabilities? What are the limitations from your perspective? Are you
> > facing any operational issues? How are you injecting the FlowSpec
> > routes?
> Unless you received a number of private responses, perhaps the lack of
> public responses is telling.
Geant runs a Firewall of Demand based on BGP Flowspec (Juniper
routers).  You can read more about it here:
http://www.geant.org/Networks/Network_Operations/PublishingImages/Pages/Firewall-on-Demand/Firewall%20on%20Demand%20User%20Guide.pdf
https://www.terena.org/activities/tf-csirt/meeting44/Firewall%20on%20Demand_Las_Palmas.pdf

Regards,
Hank

> I've heard of a few networks doing this and there is some public record
> of it being used, including one instance where a bad rule was behind a
> serious outage:
>
>   <https://support.cloudflare.com/hc/en-us/articles/200172446-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013>
>
> > - Inter-AS: Who is running Inter-AS FlowSpec deployments? What is
> > your experience? Are there any concerns regarding Inter-AS
> > deployments? Has anyone done interop tests?
> You might mine public, archived BGP data and see if there are any
> traffic filtering rules present (they are encoded in extended
> communities, which are optional, transitive).
>
> We once tried to coordinate an Inter-AS flow-spec project, but it
> failed miserably due to lack of interest.  For posterity, here is the
> project page:
>
>   <https://www.cymru.com/jtk/misc/community-fs.html>
>
> Literally the only people who were interested in it at the time was one
> of the spec's co-authors.  :-)
>
> Since then, we have tried a more modest approach using the well known
> BGP RTBH technique:
>
>   <https://www.cymru.com/jtk/misc/utrs.html>
>
> This has been much more successful and since we've started we've
> probably had about a dozen networks express interest in flow-spec
> rules.  Verification of rules is potentially tricky, but
> widespread interest still lags in my estimation.
>
> > - How are you detecting DDoS attacks (Netflow, in-line probes, ..?)
> > and which applications are you using for the analysis (Peakflow,
> > Open-Source tools, ..?)
> Not speaking for anyone in particular, but don't forget about user
> complaints.  In some cases a network may not notice (or care) if an
> attack is below a certain threshold for their network, but above a
> stress point downstream.
>
> John