Cybersecurity best practices and DDoS defence strategies
In traditional DDoS mitigation methods, such as remotely-triggered black hole (RTBH), a BGP (Border Gateway Protocol) route is injected, advertising the IP address of an under-attack server tagged with a specific community. This specific community on the border routers sets the next hop to discard/null, which subsequently drops all the affected traffic before it enters the network it was originally bound for. While this method prevents DDoS traffic from overwhelming the targeted network, the obvious downside is that the server is thus rendered unreachable even for legitimate traffic.
- drop traffic matching the flow specification,
BGP Flow Specification (Flowspec) however, is an alternative and a more granular approach to RTBH that allows you to rapidly deploy and propagate filtering and policing across a large number of BGP peer routers to mitigate the effects of a DDoS attack over a network. By applying instructions to match a particular flow with source, destination, L4 parameters and packet data such as length, fragment and so forth, Flowspec allows dynamic installation of an action at the border routers to either:
- redirect traffic to a particular VRF (Virtual Route Forwarding) for further analysis or,
- police traffic at a specific defined rate
Flowspec resembles access control lists (ACLs) created with class-maps and policy-maps that provide matching criteria and traffic filtering actions, which are injected to BGP and propagated to BGP peers. For this to materialize, Flowspec adds new NLRI (Network Layer Reachability Information) to the BGP protocol.
Upon detecting malicious attempts, Nexusguard’s DDoS mitigation platform automatically generates alarms and initiates the process according to a built-in filter-based security profile to detect and analyze threats. With the deployment of Flowspec now, Nexusguard ensures that service provider networks stay healthy by mitigating large volumetric DDoS attacks more effectively to avert backbone and downstream congestion.
The deployment and propagation of mitigation filters to BGP peer routers is a fully automated process, enabling DDoS attacks to be mitigated quickly and efficiently.
Featuring integrated dashboard and tabulated analytics, Nexusguard’s Portal allows customers to monitor and configure mitigation settings and results.
- Monitor BGP status- Monitor traffic dropped/ rate limited by Flowspec policies
Nexusguard supports the configuration and setup of namely two BGP router groups as follows:
1. Nexusguard Origin Protection (OP) client’s routers which are Customer managed.
2. Communications Service Provider (CSP) routers which are managed by the CSPs’ SOC.
- Simple to configure and easy to disseminate- Seamless integration with existing DDoS Mitigation Platforms
For more information, please read about Nexusguard’s Managed DDoS Mitigation Platform.
We will get back to you shortly.
Incorporating BGP Flowspec into Nexusguard’s DDoS Mitigation Platform now enables CSPs to efficiently and specifically select and drop malicious traffic without impacting healthy traffic streams.