Blog

BGP traffic rerouting, Flowspec, and the DDoS Scrubbing Centers


When it comes to distributed denial-of-service (DDoS) attacks, they are far from a downward trend. Although the popularity of certain types of DDoS attacks among cybercriminals varies over the quarters of 2022, the Cloudflare DDoS report for Q3 2022 clearly indicates an overall increase in DDoS attacks compared to last year. For example, HTTP DDoS (application DDoS attack) increased by 111% year-over-year (year-over-year), while network-layer DDoS attacks increased by 97% year-over-year [1].
In addition, based on a survey reported by Cloudflare customers, DDoS attacks that require a ransom to be paid to stop or avoid the attack increased by 67% year-over-year. Obviously, that ransomware DDoS attacks are increasingly becoming a way for cybercriminals to make money or cause disruption for their own purposes, with governments and financial institutions typically being the main targets.

DDoS mitigation techniques have gradually evolved over time. Older “blackhole” methods, such as the Destination Targeted Remotely Triggered Blackhole (D/RTBH), have proven to be very effective, but the victim’s destination IP address is completely unreachable. The main idea is to move away from penalizing whole prefixes under attack and thereby causing blackholes for “innocent” sessions, but instead, penalize either individual flows or aggregation of DDoS flows. This is where BGP Flowspec (RFC 8955) comes into play, with its ability to more accurately describe DDoS traffic along with the automatic rule distribution.

In BGP-FS, flowspec or “firewall” rule consists of traffic description and action. The example of traffic description is a source address 192.168.1.1/32, protocol ICMP, and the destination address 192.168.2.1/32 (Figure 1). The action is set to drop traffic. The rule is configured on a flowspec controller (router P) and distributed inside the BGP update message to flowspec clients (PE2 and PE1). Both clients receive this rule from the controller and program the match/actions in hardware. ICMP flood from Attacker (190.160.1.1) to Server (190.160.2.1) received on the edge router PE1 matching the description will be dropped, while ICMP echo request from host 190.160.1.2 to Server forwarded.

ICMP flooding is a type of Layer 3 and Layer 4 DDoS attacks, which in turn are volumetric DDoS attacks. Other volumetric DDoS attacks, such as amplification attacks, take advantage of vulnerable services like Memcached, NTP, DNS, etc., running on public servers on the Internet. The attacker launches multiple spoofed queries to servers that will flood the victim with large reply packets, filling up links and, in many cases, resulting in the target network infrastructure collapsing.

Volumetric DDoS attacks do not need to be handled by a sophisticated scrubbing system to be mitigated but must be filtered at the edge routers (BGP-FS clients). BGP-FS allows such traffic to be accurately matched against Layer 3 and Layer 4 parameters. Malicious traffic is filtered at the edge of the network so that the provider’s core network and its customers are not impacted by the huge volume of traffic. However, in the case of mitigating stateful DDoS attacks, a different approach must be used, which is to redirect traffic to a DDoS mitigation device.