1.2.24 Threat Mitigation

Starting with IRP 4.1, a new feature called Threat Mitigation is added to the platform. It incorporates the statistics collection as well as the blackholing mechanism, present in the previous product versions, nevertheless offering a fully automated threshold-based threat mitigation instrument that introduces Flowspec in addition to the RTBH.

Threat Mitigation can operate in the following modes:

The Threat Mitigation feature is based on threshold rules set by IRP users. In the context of DoS/DDoS attack detection, threshold values refer to the rate of kilo packets or megabits per second. Specifically, a detection threshold represents the rate at which an IRP instance raises an alert for an attack and takes appropriate action as per the predefined rule. For instance, if the Flowspec rule threshold is set to 80 kilo packets per second, an alert will be generated once incoming packets flow towards a destination exceeds this bound and the consecutive Flowspec action gets triggered. Hence, indicating an appropriate detection threshold value in rules is critical to providing an efficacious response to DoS threats while reducing false alerts.

FlowSpec mitigation method can be chosen to filter out smaller attacks while the Remote Triggered Blackhole should be sent to providers to block large volume attacks.

A Provider in IRP should be configured before it could be used for blackholing.

IRP should know next-hop (bgpd.peer.X.blackholing.ipv4.next_hop,bgpd.peer.X.blackholing.ipv6.next_hop), localpref (bgpd.peer.X.blackholing.localpref) and community (peer.X.blackholing.community) values to be able to send a route to a user’s network.

A user’s router is responsible to distinguish communities sent by an IRP instance and advertise blackholing routes to a provider’s router used to receive such routes.

FlowSpec feature should be enabled globally in global.flowspec then for each BGP session in bgpd.peer.X.flowspec.