Business & Technology

Fortinet’s FortiDDoS Supports BGP Flowspec

By Hemant Jain | April 04, 2018


Fortinet is proud to announce that BGP Flowspec has now been incorporated into FortiDDoS. This new capability is significant because it enables Service Providers to provide an even more effective resolution for those customers impacted by a DDoS attack.

Historically, anti-DDoS solutions have used a brute-force approach to eliminate problematic Internet addresses that are directing huge volumes of traffic at a target. The challenge is that while this approach may be effective at stopping or at least slowing down an attack, it also indiscriminately removes both bad and good traffic.

A hybrid approach to addressing DDoS events is especially timely.  Flowspec automates the coordination of traffic filtering by providing service providers with information that identifies specific packets to be dropped during a flood. Combining a cost-effective FortiDDoS at the customer premises for the first level of mitigation with a cloud-based scrubbing center that provides volumetric attack mitigation provides an effective and much more granular approach to DDoS mitigation.

BGP Flowspec is a recently standardized industry protocol, based on RFC 5575, that provides a number of valuable enhancements to traditional anti-DDoS technologies, such as enabling fast information exchange with the most popular Internet routers, as well as with a variety of anti-DDoS platforms. Incorporating BGP Flowspec into Fortinet’s FortiDDoS solution now enables service providers to specifically select and remove DDoS traffic without impacting healthy traffic streams.

Looking Back - The Early Days of DDoS Attack Mitigation and Destination/RTBH

In the early days of DDoS attacks, mitigation was primarily performed by designating a remotely triggered black hole (RTBH) as the destination (D/RTBH) for unwanted traffic. What this meant was that all traffic that was destined for a victim’s network prefix, regardless of its value, was announced to be discarded. A customer’s BGP peer initiated the BGP update with the prefix to be null routed. A customer’s service provider could also initiate such destination black holing. In many cases, this procedure actually served the purposes of the attackers because, one way or another, the destination was essentially removed from the Internet.

Figure 1 A typical DDoS attack to a victim
Figure 2 D/RTBH blocking all traffic to the victim at the router

Next Came the Source/RTBH

Later, a technique for source RTBH (S/RTBH) was developed. This allowed source prefixes, which were actually the attackers’ prefixes, to be black holed instead. This ensured that traffic directed towards any destination from these source prefixes was null routed by participating routers. This kind of scheme worked as long as the sources could be identified. But as we all know, the vast majority of DDoS attack packets are actually spoofed. For example, in the recent well-publicized Internet DDoS attack last fall, over a million attacking IP addresses were identified. As a result, this approach is rarely used to block DDoS attacks.    


Figure 3 S/RTBH blocking the source(s) at the ingress router

Border Gateway Protocol

The latest approach to managing DDoS traffic involves utilizing the power of the Border Gateway Protocol (BGP). BGP is the routing protocol that glues the Internet together. For example, Internet Service Providers use BGP policies to govern traffic flowing across their networks. BGP lets BGP-participating routers know which networks are reachable via which Autonomous Systems.

Border Gateway Protocol Flowspec

The BGP Flowspec protocol, defined in RFC 5575, describes a new BGP Network Layer Reachability Information (NLRI) format that can be used to distribute traffic flow specification rules. The fundamental purpose of BGP Flowspec is to automate the distribution of traffic filter lists to routers from a single point of control, specifically for the mitigation of DDoS attacks.

While routers could originally only block DDoS attacks based on the destination or source of the attack, BGP Flowspec now allows mitigation using a Border Gateway Protocol Network Layer Reachability Information (BGP NLRI) type, which may include several components, such as destination prefix, source prefix, protocol, ports, and more.

Currently, the following 12 NLRI types are defined by this RFC:

      Type 1 - Destination Prefix

      Type 2 - Source Prefix

      Type 3 - IP Protocol

      Type 4 - Port

      Type 5 - Destination port

      Type 6 - Source port

      Type 7 - ICMP type

      Type 8 - ICMP code

      Type 9 - TCP flags

      Type 10 - Packet length

      Type 11 - DSCP

      Type 12 – Fragment

FortiDDoS Release 4.5.0 Supports Flowspec to Stop DDoS Attacks Based on Attack Data

FortiDDoS is deployed very close to networks under attack. As a result, it not only has full visibility of an attack, but being a high-performance appliance it can also detect attacks at layers 3, 4, and 7 within a few seconds. And due to its granular capability to identify attacks, it also uncovers detailed visibility into them. It then summarizes these attacks using most of the NLRIs outlined in RFC 5575. As a result, rather than using the typical broad brush approach that essentially blocks all traffic, either at the source or destination, FortiDDoS is now able to send very specific attack information that can be used to block very specific attack traffic, while leaving the rest of the traffic alone. This maintains the good throughput of the network, while false positives are dropped to a minimum.

An important point to note here is that until an attack grows beyond the capacity of FortiDDoS, all DDoS attacks are mitigated by FortiDDoS itself. A FortiDDoS administrator, upon notification from FortiDDoS of imminent link saturation, can generate the Flowspec data that can be exported to a peering router. This can be done for a chosen destination under attack, with a drop threshold above a given number. FortiDDoS can then generate a Flowspec that is compatible with the Cisco or Juniper routers managing the affected traffic.

Figure 4 FortiDDoS generating the Flowspec based on the attack data

Expected Action from Participating Routers after Receiving Flowspec NLRI Information

The BGP router to which FortiDDoS BGP Flowspec information is applied converts the Flowspec route into an ACL, and then applies it to its selected interfaces. At the same time, either the router or the FortiDDoS administrator can configure an appropriate action to drop, redirect, or rate limit the traffic.

The addition of BGP Flowspec functionality to FortiDDoS provides a granular level of controlled response that allows for much more accurate identification and classification of malicious traffic. This enables the surgical removal of DDoS attacks without impacting the critical data that organizations rely on, now more than ever, to compete effectively in today’s digital marketplace. 

Read more about FortiDDoS: advanced DDoS protection for enterprise data centers.