# DDoS Mitigation with ExaBGP **Automated DDoS protection using BGP FlowSpec** > 🛡️ **ExaBGP pioneered open-source FlowSpec** - enabling network-wide DDoS mitigation in seconds --- ## Table of Contents - [Overview](#overview) - [Why FlowSpec for DDoS Mitigation?](#why-flowspec-for-ddos-mitigation) - [Architecture Patterns](#architecture-patterns) - [Detection Integration](#detection-integration) - [Complete Workflow](#complete-workflow) - [Attack Types and Mitigation](#attack-types-and-mitigation) - [Implementation Guide](#implementation-guide) - [Production Deployment](#production-deployment) - [Monitoring and Alerting](#monitoring-and-alerting) - [Best Practices](#best-practices) - [Troubleshooting](#troubleshooting) - [Real-World Examples](#real-world-examples) --- ## Overview **DDoS mitigation with ExaBGP** enables automated, network-wide traffic filtering using BGP FlowSpec. ### The Problem **Traditional DDoS response is slow:** 1. ⏱️ **Detection**: Minutes to identify attack 2. 🔧 **Manual intervention**: SSH to routers, configure ACLs 3. 📝 **Error-prone**: Manual configuration mistakes 4. 🐌 **Slow deployment**: Can't update hundreds of routers quickly 5. 💰 **Damage**: Attack causes disruption before mitigation ### The ExaBGP Solution **Automated FlowSpec-based mitigation:** 1. ⚡ **Instant detection**: Automated systems detect attack patterns 2. 🤖 **Automated response**: ExaBGP generates FlowSpec rules via API 3. 🌐 **Network-wide**: Rules propagate to all edge routers via BGP 4. 🚀 **Fast**: Attack blocked in **seconds** (not minutes) 5. ✅ **Reliable**: No manual intervention required --- ## Why FlowSpec for DDoS Mitigation? ### Advantages Over Traditional Methods **vs. RTBH (Remote Triggered Black Hole):** - ✅ **Granular filtering**: Match on ports, protocols, packet size, TCP flags - ✅ **Surgical mitigation**: Rate-limit instead of complete blackhole - ✅ **Reduced collateral damage**: Single rule vs. thousands of /32 prefixes - ✅ **Flexible actions**: Discard, rate-limit, redirect, or mark traffic **vs. On-Premises Scrubbing:** - ✅ **Upstream filtering**: Traffic blocked at provider edge (before reaching your network) - ✅ **Bandwidth savings**: Attack traffic never consumes your bandwidth - ✅ **Scalability**: Leverage provider infrastructure - ✅ **Fast convergence**: BGP propagation in seconds **vs. Cloud Scrubbing Services:** - ✅ **No third-party dependency**: On-premises control - ✅ **Lower cost**: No per-GB scrubbing fees - ✅ **Lower latency**: No traffic redirection - ✅ **Privacy**: Traffic stays in your network --- ## Architecture Patterns ### Pattern 1: Centralized FlowSpec Controller **Most common deployment:** ``` ┌─────────────────────┐ │ DDoS Detection │ FastNetMon, custom detection │ System │ └──────────┬──────────┘ │ Attack detected ▼ ┌─────────────────────┐ │ ExaBGP │ FlowSpec controller │ (Central) │ Generates rules via API └──────────┬──────────┘ │ BGP FlowSpec UPDATE ▼ ┌─────────────────────┐ │ Edge Routers │ Cisco, Juniper, Arista, etc. │ (100s-1000s) │ Apply filters in hardware └──────────┬──────────┘ │ Filtered traffic ▼ Attack blocked ✅ ``` **Characteristics:** - Single ExaBGP instance as FlowSpec controller - Peers with route reflectors or edge routers - Rules propagate network-wide via BGP - Centralized logging and management --- ### Pattern 2: Distributed FlowSpec with Route Reflectors **For large-scale networks:** ``` ┌────────────────┐ ┌────────────────┐ │ ExaBGP │◄───────►│ Route │ │ FlowSpec │ iBGP │ Reflectors │ │ Controller │ │ │ └────────────────┘ └────────┬───────┘ │ ┌───────────────┼───────────────┐ ▼ ▼ ▼ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │ Edge Router │ │ Edge Router │ │ Edge Router │ │ (Region A) │ │ (Region B) │ │ (Region C) │ └──────────────┘ └──────────────┘ └──────────────┘ ``` **Benefits:** - Scalable to thousands of edge routers - Reduced BGP session overhead - Regional route reflectors for redundancy - Standard BGP topology --- ### Pattern 3: Hybrid (FlowSpec + Scrubbing) **Combine FlowSpec with scrubbing centers:** ``` ┌─────────────────┐ │ Detection │ └────────┬────────┘ │ ▼ ┌─────────────────┐ │ ExaBGP │ │ Decision Logic │ └────────┬────────┘ │ ┌────┴──────────┐ ▼ ▼ Small Attack Large Attack (< 1 Gbps) (> 1 Gbps) │ │ ▼ ▼ FlowSpec FlowSpec discard redirect to VRF │ ▼ ┌──────────────┐ │ Scrubbing │ │ Center │ └──────┬───────┘ │ ▼ Clean traffic back ``` **Use cases:** - Small attacks: Block at edge with FlowSpec - Large volumetric attacks: Redirect to scrubbing - Graduated response based on attack size --- ## Detection Integration ExaBGP can integrate with various DDoS detection systems: **Open-Source Options:** - **FastNetMon Community** - High-performance DDoS detection (native ExaBGP support) - **Custom detection** - Build your own using flow analysis tools **Turnkey Commercial DDoS Solutions:** - **[FastNetMon Advanced](https://fastnetmon.com/)** - Enterprise DDoS detection and mitigation platform - **[Wanguard](https://www.andrisoft.com/products/wanguard)** by Andrisoft - Complete DDoS protection solution with ExaBGP integration via BGP Connector > 💡 **Note**: Both turnkey solutions offer comprehensive DDoS protection with management interfaces, reporting, and automated mitigation workflows. Wanguard integrates with ExaBGP through its [BGP Connector component](https://docs.andrisoft.com/wanguard/8.4/Configuration__Components__BGP_Connector.html), supporting RTBH, FlowSpec, and traffic scrubbing. **Flow Analysis Tools** (for custom detection): - **Akvorado** - Flow collector and visualizer (can feed custom detection logic) - **pmacct** - Flow accounting and analysis - **nfdump/nfsen** - NetFlow analysis toolkit --- ### Option 1: FastNetMon Community **FastNetMon Community** is an open-source DDoS detection system with native ExaBGP integration. #### Architecture ``` FastNetMon → sFlow/NetFlow → Analysis → ExaBGP API → FlowSpec ``` #### Configuration **FastNetMon config** (`/etc/fastnetmon.conf`): ```bash # Enable ExaBGP integration enable_ban_for_tcp_syn_flood = on enable_ban_for_udp_flood = on enable_ban_for_icmp_flood = on # ExaBGP FlowSpec exabgp = on exabgp_flow_spec_announces = on exabgp_command_pipe = /var/run/exabgp.cmd # Thresholds ban_for_pps = on threshold_pps = 20000 ban_for_bandwidth = on threshold_mbps = 1000 ``` **ExaBGP config** (`/etc/exabgp/exabgp.conf`): ```ini neighbor 192.168.1.1 { router-id 192.168.1.2; local-address 192.168.1.2; local-as 65001; peer-as 65000; family { ipv4 flow; } api { processes [ fastnetmon ]; } } process fastnetmon { run /etc/exabgp/api/fastnetmon.py; encoder text; } ``` **Integration script** (`/etc/exabgp/api/fastnetmon.py`): ```python #!/usr/bin/env python3 """ FastNetMon integration for ExaBGP FlowSpec Reads attack notifications and generates FlowSpec rules """ import sys import time import os # Named pipe from FastNetMon PIPE_PATH = "/var/run/exabgp.cmd" def read_fastnetmon_commands(): """Read FlowSpec commands from FastNetMon pipe""" if not os.path.exists(PIPE_PATH): os.mkfifo(PIPE_PATH) while True: with open(PIPE_PATH, 'r') as pipe: for line in pipe: command = line.strip() if command: # Forward to ExaBGP sys.stdout.write(command + "\n") sys.stdout.flush() sys.stderr.write(f"[FASTNETMON] {command}\n") time.sleep(2) read_fastnetmon_commands() ``` --- ### Option 3: Custom Detection **Build your own detection system:** ```python #!/usr/bin/env python3 """ Custom DDoS detection and mitigation Analyzes traffic patterns and generates FlowSpec rules """ import sys import time import collections from datetime import datetime # Attack detection state traffic_stats = collections.defaultdict(lambda: {'pps': 0, 'bps': 0}) blocked_sources = set() # Thresholds SYN_FLOOD_THRESHOLD = 10000 # SYN packets per second UDP_FLOOD_THRESHOLD = 50000 # UDP packets per second BANDWIDTH_THRESHOLD = 1000000000 # 1 Gbps def analyze_traffic(): """ Analyze traffic patterns (placeholder - integrate with your monitoring) Returns: list of detected attacks """ # TODO: Integrate with your traffic analysis system # Examples: sFlow collector, SNMP polling, pcap analysis attacks = [] for source_ip, stats in traffic_stats.items(): # SYN flood detection if stats['syn_pps'] > SYN_FLOOD_THRESHOLD: attacks.append({ 'type': 'syn_flood', 'source': source_ip, 'metric': stats['syn_pps'], 'dest_port': stats.get('dest_port', 80) }) # UDP flood detection if stats['udp_pps'] > UDP_FLOOD_THRESHOLD: attacks.append({ 'type': 'udp_flood', 'source': source_ip, 'metric': stats['udp_pps'] }) # Bandwidth-based detection if stats['bps'] > BANDWIDTH_THRESHOLD: attacks.append({ 'type': 'bandwidth_flood', 'source': source_ip, 'metric': stats['bps'] }) return attacks def mitigate_attack(attack): """Generate and announce FlowSpec rule""" attack_type = attack['type'] source = attack['source'] if source in blocked_sources: return # Already blocked if attack_type == 'syn_flood': dest_port = attack.get('dest_port', 80) rule = ( f"announce flow route {{ " f"match {{ source {source}/32; destination-port ={dest_port}; " f"protocol =tcp; tcp-flags [ syn ]; }} " f"then {{ rate-limit 10000000; }} " f"}}" ) elif attack_type == 'udp_flood': rule = ( f"announce flow route {{ " f"match {{ source {source}/32; protocol =udp; }} " f"then {{ rate-limit 5000000; }} " f"}}" ) elif attack_type == 'bandwidth_flood': rule = ( f"announce flow route {{ " f"match {{ source {source}/32; }} " f"then {{ rate-limit 1000000; }} " f"}}" ) else: rule = ( f"announce flow route {{ " f"match {{ source {source}/32; }} " f"then {{ discard; }} " f"}}" ) sys.stdout.write(rule + "\n") sys.stdout.flush() blocked_sources.add(source) timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S') sys.stderr.write( f"[{timestamp}] Blocked {attack_type} from {source} " f"(metric: {attack['metric']})\n" ) # Schedule auto-withdrawal after 300 seconds schedule_withdrawal(rule, 300) def schedule_withdrawal(rule, timeout): """Auto-withdraw rule after timeout""" import threading def withdraw_after_timeout(): time.sleep(timeout) withdraw = rule.replace('announce', 'withdraw') # Remove 'then' clause for withdrawal withdraw = withdraw.split('then')[0].rstrip() + '}' sys.stdout.write(withdraw + "\n") sys.stdout.flush() sys.stderr.write(f"[AUTO-WITHDRAW] {withdraw}\n") thread = threading.Thread(target=withdraw_after_timeout, daemon=True) thread.start() # Main detection loop time.sleep(2) sys.stderr.write("[DETECTION] Custom DDoS detection started\n") while True: attacks = analyze_traffic() for attack in attacks: mitigate_attack(attack) time.sleep(5) # Check every 5 seconds ``` --- ### Option 2: Wanguard Integration **Wanguard** by Andrisoft offers turnkey DDoS protection with ExaBGP integration via its BGP Connector component. #### Architecture ``` Wanguard Detection → Response System → BGP Connector → ExaBGP → Edge Routers ``` #### Key Features **BGP Connector supports:** - **Remote Triggered Black Hole (RTBH)** - Null-route attacked destinations - **BGP FlowSpec** - Granular traffic filtering at edge routers - **Traffic Scrubbing** - Redirect traffic to cleaning servers - **Source RTBH** - Block attacking source IPs - **Automated & Manual Control** - REST API, console, or anomaly-triggered #### Configuration For complete setup instructions, refer to the official Andrisoft documentation: **[Wanguard BGP Connector Configuration Guide](https://docs.andrisoft.com/wanguard/8.4/Configuration__Components__BGP_Connector.html)** The guide covers: - Installing and configuring ExaBGP - Setting up the Wanguard BGP Connector component - Configuring pipe file paths and permissions - Connector role selection (Mitigation or Diversion) - Enabling BGP FlowSpec support - Community and prefix restrictions - Integration with Wanguard Response System #### How It Works Once configured, Wanguard's detection engine automatically triggers BGP announcements via ExaBGP: 1. **Attack Detection** - Wanguard identifies DDoS attack patterns 2. **Response Trigger** - Response system activates mitigation 3. **BGP Announcement** - Writes FlowSpec/RTBH rules to ExaBGP pipe 4. **Network-Wide Mitigation** - ExaBGP propagates rules to edge routers Mitigation can also be triggered manually via Wanguard's REST API or console interface. #### Additional Resources - **[Wanguard BGP Connector Documentation](https://docs.andrisoft.com/wanguard/8.4/Configuration__Components__BGP_Connector.html)** - Official configuration guide - **[Wanguard Product Information](https://www.andrisoft.com/products/wanguard)** - Features and capabilities - **[Andrisoft Support](https://www.andrisoft.com/support)** - Technical support resources --- ## Complete Workflow ### End-to-End DDoS Mitigation **Step 1: Detection** ``` Attack traffic → Edge routers → NetFlow/sFlow → Detection system ``` **Detection triggers when:** - Packets per second > threshold - Bandwidth > threshold - Anomaly detected by ML model - Specific attack patterns identified --- **Step 2: Rule Generation** ```python # Detection system generates FlowSpec rule rule = ( "announce flow route { " "match { source 203.0.113.0/24; destination-port =80; protocol =tcp; } " "then { discard; } " "}" ) ``` --- **Step 3: ExaBGP Announcement** ```python # Send to ExaBGP via API sys.stdout.write(rule + "\n") sys.stdout.flush() ``` --- **Step 4: BGP Propagation** ``` ExaBGP → BGP UPDATE (FlowSpec) → Route Reflectors → Edge Routers ``` **Convergence time:** 1-5 seconds network-wide --- **Step 5: Traffic Filtering** ``` Edge routers install FlowSpec rule in hardware (TCAM) → Matching traffic dropped/rate-limited at wire speed → Attack blocked ✅ ``` --- **Step 6: Auto-Withdrawal** ```python # After attack ends (e.g., 5 minutes) time.sleep(300) withdraw = "withdraw flow route { match { source 203.0.113.0/24; ... } }" sys.stdout.write(withdraw + "\n") sys.stdout.flush() ``` --- ## Attack Types and Mitigation ### 1. SYN Flood **Attack:** TCP SYN packets without completing handshake **Detection:** - High SYN rate to specific port - SYN packets without corresponding ACK **Mitigation:** ```python announce flow route { match { destination 100.10.0.100/32; # Target server destination-port =80|=443; # HTTP/HTTPS protocol =tcp; tcp-flags [ syn ]; # SYN flag only } then { rate-limit 10000000; # 10 MB/s (~80 Mbps) } } ``` --- ### 2. UDP Amplification **Attack:** Spoofed UDP requests to amplification servers (DNS, NTP, SSDP, etc.) **Detection:** - Large UDP responses (> 512 bytes) - High volume from specific source ports (53, 123, 1900) **Mitigation:** ```python # DNS amplification announce flow route { match { source-port =53; # DNS responses protocol =udp; packet-length >512; # Large responses } then { discard; } } # NTP amplification announce flow route { match { source-port =123; # NTP responses protocol =udp; packet-length >100; } then { discard; } } # SSDP amplification announce flow route { match { source-port =1900; # SSDP protocol =udp; } then { discard; } } ``` --- ### 3. HTTP Flood **Attack:** High volume of HTTP requests **Detection:** - High connection rate to web servers - Unusual HTTP request patterns **Mitigation:** ```python # Rate-limit HTTP traffic from attack source announce flow route { match { source 10.0.0.0/8; # Attack network destination-port =80|=443; protocol =tcp; } then { rate-limit 5000000; # 5 MB/sec (bytes/sec, RFC 5575) } } ``` --- ### 4. ICMP Flood **Attack:** High volume of ICMP packets (ping flood, smurf attack) **Detection:** - High ICMP packet rate - Large ICMP packet sizes **Mitigation:** ```python # Block all ICMP during attack announce flow route { match { protocol =icmp; } then { discard; } } # Or rate-limit ICMP announce flow route { match { protocol =icmp; icmp-type =8; # Echo request } then { rate-limit 1000000; # 1 MB/s (~8 Mbps) } } ``` --- ### 5. Fragmentation Attack **Attack:** Malformed or excessive fragmented packets **Detection:** - High rate of fragmented packets - Invalid fragment patterns **Mitigation:** ```python # Block all fragmented packets announce flow route { match { fragment [ is-fragment ]; } then { discard; } } ``` --- ### 6. Volumetric Attack **Attack:** High bandwidth consumption (> line capacity) **Detection:** - Total bandwidth exceeds threshold - Traffic from specific sources/networks **Mitigation:** ```python # Aggressive rate-limiting for attack sources announce flow route { match { source 203.0.113.0/24; } then { rate-limit 1000000; # 1 MB/s (~8 Mbps) } } # Or redirect to scrubbing VRF announce flow route { match { destination 100.10.0.0/24; # Attacked network } then { redirect 65001:999; # Scrubbing VRF } } ``` --- ## Implementation Guide ### Step 1: Install ExaBGP ```bash # Using pip pip install exabgp # Verify installation exabgp version ``` See [Installation Guide](Installation-Guide) for details. --- ### Step 2: Configure ExaBGP **Create config** (`/etc/exabgp/ddos-mitigation.conf`): ```ini neighbor 192.168.1.1 { router-id 192.168.1.2; local-address 192.168.1.2; local-as 65001; peer-as 65000; family { ipv4 flow; } api { processes [ ddos-controller ]; } } process ddos-controller { run /etc/exabgp/api/ddos_controller.py; encoder text; } ``` --- ### Step 3: Create Detection Script **Basic template** (`/etc/exabgp/api/ddos_controller.py`): ```python #!/usr/bin/env python3 import sys import time time.sleep(2) sys.stderr.write("[DDOS] Controller started\n") # Your detection logic here # When attack detected, generate FlowSpec rule: def block_attack(source_ip, attack_type): rule = ( f"announce flow route {{ " f"match {{ source {source_ip}/32; }} " f"then {{ discard; }} " f"}}" ) sys.stdout.write(rule + "\n") sys.stdout.flush() sys.stderr.write(f"[DDOS] Blocked {attack_type} from {source_ip}\n") # Main loop while True: # TODO: Integrate with your detection system time.sleep(10) ``` --- ### Step 4: Configure Edge Routers **Cisco IOS-XR:** ```cisco router bgp 65000 neighbor 192.168.1.2 remote-as 65001 ! address-family ipv4 flow neighbor 192.168.1.2 activate ! ! flowspec local-install interface-all ! ``` **Juniper Junos:** ```juniper protocols { bgp { group exabgp { type external; peer-as 65001; neighbor 192.168.1.2 { family inet { flow; } } } } } routing-options { flow { validation { local { enabled; } } } } ``` --- ### Step 5: Test FlowSpec Rules **Manual test:** ```bash # Start ExaBGP exabgp /etc/exabgp/ddos-mitigation.conf # In another terminal, inject test rule echo "announce flow route { match { source 10.0.0.1/32; } then { discard; } }" > /tmp/exabgp.cmd ``` **Verify on router:** ```cisco # Cisco show flowspec ipv4 summary show flowspec ipv4 detail # Juniper show firewall filter __flowspec_default_inet__ ``` --- ## Production Deployment ### High Availability **Deploy redundant ExaBGP instances:** ``` ┌────────────────┐ ┌────────────────┐ │ ExaBGP │ │ ExaBGP │ │ Primary │ │ Secondary │ │ 192.168.1.2 │ │ 192.168.1.3 │ └────────┬───────┘ └───────┬────────┘ │ │ └────────────┬────────────┘ │ ▼ ┌───────────────┐ │ Route │ │ Reflectors │ └───────────────┘ ``` **Both instances:** - Run same detection logic - Announce same FlowSpec rules - BGP handles deduplication --- ### Logging and Auditing **Log all FlowSpec announcements:** ```python import logging logging.basicConfig( filename='/var/log/exabgp-ddos.log', level=logging.INFO, format='%(asctime)s [%(levelname)s] %(message)s' ) def announce_flowspec(rule, reason): sys.stdout.write(rule + "\n") sys.stdout.flush() logging.info(f"ANNOUNCE: {rule} - Reason: {reason}") ``` --- ### Alerting Integration **Send alerts to NOC:** ```python import requests def send_alert(message, severity='high'): """Send alert to Slack/PagerDuty/email""" # Slack webhook requests.post( "https://hooks.slack.com/services/YOUR/WEBHOOK/URL", json={ "text": f":warning: DDoS Alert: {message}", "username": "ExaBGP DDoS Controller" } ) # PagerDuty requests.post( "https://events.pagerduty.com/v2/enqueue", json={ "routing_key": "YOUR_ROUTING_KEY", "event_action": "trigger", "payload": { "summary": message, "severity": severity, "source": "ExaBGP" } } ) # When blocking attack send_alert(f"Blocking SYN flood from {source_ip} to port {port}") ``` --- ## Monitoring and Alerting ### Metrics to Track **1. Attack Metrics:** - Number of active FlowSpec rules - Attacks detected per hour - Attack types distribution - Top attack sources **2. Mitigation Metrics:** - Time to mitigation (detection → blocking) - Bandwidth saved - False positive rate - Rule withdrawal time **3. System Metrics:** - ExaBGP process health - BGP session state - API response time - Rule announcement latency --- ### Monitoring Script ```python #!/usr/bin/env python3 """ Monitor ExaBGP DDoS mitigation metrics """ import time import subprocess import requests # Metrics active_rules = 0 attacks_detected = 0 attacks_blocked = 0 def check_exabgp_health(): """Check if ExaBGP process is running""" try: result = subprocess.run( ['pgrep', '-f', 'exabgp'], capture_output=True, timeout=5 ) return result.returncode == 0 except: return False def check_bgp_session(): """Check BGP session state (example for Cisco via SNMP)""" # TODO: Implement SNMP check or router API pass def export_metrics_to_prometheus(): """Export metrics to Prometheus""" # Expose metrics endpoint metrics = f""" # HELP exabgp_ddos_active_rules Number of active FlowSpec rules # TYPE exabgp_ddos_active_rules gauge exabgp_ddos_active_rules {active_rules} # HELP exabgp_ddos_attacks_detected Total attacks detected # TYPE exabgp_ddos_attacks_detected counter exabgp_ddos_attacks_detected {attacks_detected} # HELP exabgp_ddos_attacks_blocked Total attacks blocked # TYPE exabgp_ddos_attacks_blocked counter exabgp_ddos_attacks_blocked {attacks_blocked} """ # Write to textfile collector or push to Pushgateway with open('/var/lib/prometheus/node-exporter/exabgp_ddos.prom', 'w') as f: f.write(metrics) while True: if not check_exabgp_health(): send_alert("ExaBGP process not running!", severity='critical') export_metrics_to_prometheus() time.sleep(60) ``` --- ## Best Practices ### 1. Graduated Response **Start conservative, escalate if needed:** ```python # Level 1: Rate-limit (warning) rate_limit_1 = 50000000 # 50 MB/s (~400 Mbps) # Level 2: Tighter rate-limit rate_limit_2 = 10000000 # 10 MB/s (~80 Mbps) # Level 3: Very tight rate-limit rate_limit_3 = 1000000 # 1 MB/s (~8 Mbps) # Level 4: Block completely # discard ``` --- ### 2. Whitelist Critical Services **Never block critical infrastructure:** ```python WHITELIST = [ '8.8.8.8', # Google DNS '1.1.1.1', # Cloudflare DNS # Add your critical IPs ] def should_block(ip): return ip not in WHITELIST ``` --- ### 3. Auto-Expiration **Always set TTL on rules:** ```python def announce_with_ttl(rule, ttl=300): """Announce rule with auto-withdrawal""" sys.stdout.write(rule + "\n") sys.stdout.flush() # Schedule withdrawal threading.Timer(ttl, withdraw_rule, args=[rule]).start() ``` --- ### 4. Rate-Limit Before Blocking **Try rate-limiting first:** ```python if attack_severity < 5: action = f"rate-limit {bandwidth}" else: action = "discard" ``` --- ### 5. Validate Rules Before Announcement **Prevent misconfigurations:** ```python def validate_flowspec_rule(rule): """Validate FlowSpec syntax""" required_keywords = ['announce', 'flow', 'route', 'match', 'then'] for keyword in required_keywords: if keyword not in rule: raise ValueError(f"Missing keyword: {keyword}") # Additional validation if 'source 0.0.0.0/0' in rule and 'discard' in rule: raise ValueError("Refusing to blackhole entire internet!") return True ``` --- ## Troubleshooting ### Issue 1: Rules Not Applied on Routers **Symptoms:** FlowSpec rules announced but not filtering traffic **Diagnosis:** ```cisco # Cisco show flowspec ipv4 show flowspec ipv4 summary # Juniper show firewall filter __flowspec_default_inet__ ``` **Common causes:** - FlowSpec not enabled on router - BGP session down - FlowSpec validation failing - Hardware limitations (TCAM full) **Solutions:** ```cisco # Enable FlowSpec router bgp 65000 address-family ipv4 flow neighbor 192.168.1.2 activate # Enable local installation flowspec local-install interface-all ``` --- ### Issue 2: ExaBGP Not Announcing Rules **Symptoms:** No BGP UPDATEs sent **Diagnosis:** ```bash # Check ExaBGP logs env exabgp.log.level=DEBUG exabgp /etc/exabgp/ddos.conf 2>&1 | tee exabgp.log # Look for errors grep ERROR exabgp.log ``` **Common causes:** - API process not running - Syntax error in FlowSpec rule - stdout not flushed **Solutions:** ```python # Always flush stdout sys.stdout.write(rule + "\n") sys.stdout.flush() # Critical! # Check process is running ps aux | grep ddos_controller ``` --- ### Issue 3: False Positives **Symptoms:** Legitimate traffic blocked **Diagnosis:** - Monitor user complaints - Analyze blocked traffic patterns - Review FlowSpec match conditions **Solutions:** - Make rules more specific - Use rate-limiting instead of discard - Implement whitelisting - Adjust detection thresholds --- ### Issue 4: High Latency **Symptoms:** Slow rule propagation (> 10 seconds) **Diagnosis:** ```bash # Measure BGP convergence time time exabgp announce-rule.py # Check BGP timers show bgp neighbor 192.168.1.2 ``` **Solutions:** - Reduce BGP timers (keepalive, hold-time) - Use route reflectors for scalability - Optimize detection script performance --- ## Real-World Examples ### Example 1: ISP DDoS Mitigation **Scenario:** Regional ISP with 100 edge routers **Architecture:** - Central ExaBGP FlowSpec controller - FastNetMon for detection (analyzing sFlow) - Route reflectors for BGP scalability **Results:** - Detection to mitigation: 3 seconds average - 50+ attacks blocked per day - 99.9% uptime maintained - Bandwidth savings: ~500 Gbps/month --- ### Example 2: Enterprise Network Protection **Scenario:** Enterprise with multiple data centers **Architecture:** - ExaBGP + custom Python detection - Integration with SIEM (Splunk) - Hybrid approach (FlowSpec + cloud scrubbing) **Attack handling:** - Small attacks (< 1 Gbps): FlowSpec at edge - Large attacks (> 1 Gbps): Redirect to cloud scrubbing - Auto-escalation based on attack size **Results:** - 95% of attacks handled at edge - Scrubbing costs reduced by 70% - No service outages in 12 months --- ### Example 3: Hosting Provider **Scenario:** Hosting provider protecting customer VMs **Architecture:** - ExaBGP per customer (multi-tenant) - Custom detection with sFlow/NetFlow analysis - Per-customer FlowSpec rules **Features:** - Customer portal for rule visibility - Automatic protection for all customers - Granular per-VM filtering **Results:** - 1000+ customers protected - Sub-second mitigation - Customer satisfaction: 98% --- ## Next Steps ### Learn More - **[FlowSpec Overview](FlowSpec-Overview)** - FlowSpec fundamentals - **[Match Conditions](Match-Conditions)** - All match types - **[Actions Reference](Actions-Reference)** - All actions ### API Documentation - **[Text API Reference](Text-API-Reference)** - FlowSpec commands - **[API Commands](API-Commands)** - Command reference - **[API Overview](API-Overview)** - API architecture ### Operations - **[Debugging](Debugging)** - Troubleshooting guide - **[Monitoring](Monitoring)** - Monitoring setup --- **Ready to deploy DDoS mitigation?** See [Quick Start](Quick-Start) to begin → ---