Friday, July 12, 2019

Arista BGP FlowSpec

The video of a talk by Peter Lundqvist from DKNOG9 describes BGP FlowSpec, use cases, and details of Arista's implementation.

FlowSpec for real-time control and sFlow telemetry for real-time visibility is a powerful combination that can be used to automate DDoS mitigation and traffic engineering. The article, Real-time DDoS mitigation using sFlow and BGP FlowSpec, gives an example using the sFlow-RT analytics software.

EOS 4.22 includes support for BGP FlowSpec. This article uses a virtual machine running vEOS-4.22 to demonstrate how to configure FlowSpec and sFlow so that the switch can be controlled by an sFlow-RT application (such as the DDoS mitigation application referenced earlier).

The following output shows the EOS configuration statements related to sFlow and FlowSpec:
service routing protocols model multi-agent
sflow sample 16384
sflow polling-interval 30
sflow destination
sflow run
interface Ethernet1
   flow-spec ipv4 ipv6
interface Management1
   ip address
ip routing
router bgp 65096
   neighbor remote-as 65070
   neighbor transport remote-port 1179
   neighbor send-community extended
   neighbor maximum-routes 12000 
   address-family flow-spec ipv4
      neighbor activate
   address-family flow-spec ipv6
      neighbor activate
The following JavaScript statement configures the FlowSpec connection on the sFlow-RT side:
The FlowSpec functionality is exposed through sFlow-RT's REST API.
The sFlow-RT REST API Explorer is a simple way to exercise the FlowSpec functionality. In this case we are going to push a rule that blocks traffic from UDP port 53 targeted at host This type of rule is typically used to block a DNS amplification attack.

The following output on the switch verifies that the rule has been received:
localhost#sho bgp flow-spec ipv4 detail
BGP Flow Specification rules for VRF default
Router identifier, local AS number 65096
BGP Flow Specification Matching Rule for;*;IP:17;SP:53;
 Rule identifier: 3851506952
 Matching Rule:
   Destination Prefix:
   Source Prefix: *
   IP Protocol: 17
   Source Port: 53
 Paths: 1 available
    from (
      Origin IGP, metric -, localpref 100, weight 0, valid, external, best
      Actions: Drop
In practice the process of adding and removing filtering rules can be completely automated by an sFlow-RT application. The combination of real-time sFlow analytics with the real-time control provided by FlowSpec allows DDoS attacks to be detected and blocked within seconds.

No comments:

Post a Comment