The video of a talk by Peter Lundqvist from DKNOG9 describes BGP FlowSpec, use cases, and details of Arista's implementation.
FlowSpec for real-time control and sFlow telemetry for real-time visibility is a powerful combination that can be used to automate DDoS mitigation and traffic engineering. The article, Real-time DDoS mitigation using sFlow and BGP FlowSpec, gives an example using the sFlow-RT analytics software.
The following output shows the EOS configuration statements related to sFlow and FlowSpec:
! service routing protocols model multi-agent ! sflow sample 16384 sflow polling-interval 30 sflow destination 10.0.0.70 sflow run ! interface Ethernet1 flow-spec ipv4 ipv6 ! interface Management1 ip address 10.0.0.96/24 ! ip routing ! router bgp 65096 router-id 10.0.0.96 neighbor 10.0.0.70 remote-as 65070 neighbor 10.0.0.70 transport remote-port 1179 neighbor 10.0.0.70 send-community extended neighbor 10.0.0.70 maximum-routes 12000 ! address-family flow-spec ipv4 neighbor 10.0.0.70 activate ! address-family flow-spec ipv6 neighbor 10.0.0.70 activateThe following JavaScript statement configures the FlowSpec connection on the sFlow-RT side:
bgpAddNeighbor("10.0.0.96","65070","10.0.0.70",{flowspec:true,flowspec6:true});The FlowSpec functionality is exposed through sFlow-RT's REST API.
The sFlow-RT REST API Explorer is a simple way to exercise the FlowSpec functionality. In this case we are going to push a rule that blocks traffic from UDP port 53 targeted at host 10.0.0.1. This type of rule is typically used to block a DNS amplification attack.
The following output on the switch verifies that the rule has been received:
localhost#sho bgp flow-spec ipv4 detail BGP Flow Specification rules for VRF default Router identifier 10.0.0.96, local AS number 65096 BGP Flow Specification Matching Rule for 10.0.0.1/32;*;IP:17;SP:53; Rule identifier: 3851506952 Matching Rule: Destination Prefix: 10.0.0.1/32 Source Prefix: * IP Protocol: 17 Source Port: 53 Paths: 1 available 65070 from 10.0.0.70 (10.0.0.70) Origin IGP, metric -, localpref 100, weight 0, valid, external, best Actions: DropIn practice the process of adding and removing filtering rules can be completely automated by an sFlow-RT application. The combination of real-time sFlow analytics with the real-time control provided by FlowSpec allows DDoS attacks to be detected and blocked within seconds.
No comments:
Post a Comment