__FLOWSPEC IN CISCO NCS5500__ [[https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSPG-3012.pdf]] show bgp ipv4 flowspec summary ! To see the current flowspec established sessions ! show flowspec afi-all detail ! To see what flowspec rules are currently applied AFI: IPv4 Flow :Dest:25.1.102.1/32,Proto:=17,Length:>=500&<=1550 Actions :Nexthop: 25.3.9.3 (bgp.1) Statistics (packets/bytes) Matched : 0/0 Dropped : 0/0 ! show policy-map transient type pbr pmap-name __bgpfs_default_IPv4 policy-map type pbr __bgpfs_default_IPv4 handle:0x36000002 table description: L3 IPv4 and IPv6 class handle:0x7600000a sequence 1024 match source-port 80 police rate 314152 bps conform-action transmit exceed-action drop Vanilla configuration CSR1000v router bgp 65000 bgp router-id 10.10.10.1 bgp log-neighbor-changes neighbor 10.10.11.143 remote-as 65000 ! ! address-family ipv4 flowspec neighbor 10.100.11.143 activate neighbor 10.100.11.143 send-community both exit-address-family ! ---- __**FLOWSPEC NOTES RFC 5575**__ To filter (apply actions) on flows instead of penalising whole prefix ranges.\\ Actions to be done are transmitted via a BGP session from the controller (tells the router what to filter).[[https://infocenter.nokia.com/public/7750SR222R1A/index.jsp?topic=%2Fcom.nokia.Unicast_Guide%2Fmulti-protocol_-ai9exj5yje.html|SAFI]] 133. \\ More specifically, actions are ''encoded in EXT-COMMUNITIES'' * We use [[https://github.com/Exa-Networks/exabgp|exabgp]] to send and receive flowspec messages over the bgp connection * In this [[https://blog.sflow.com/2017/07/bgp-flowspec-on-white-box-switch.html|article]]we can see how we do : flowspec-bgp-msg > acl > iptable rules * however it gives for granted that we know how to generate and send flowspec messages. * the message was sent by sFlow-RT/exabgp. More info [[https://blog.sflow.com/2017/07/real-time-ddos-mitigation-using-sflow.html|here]] * flowspec and containerlab: [[https://github.com/sflow-rt/containerlab|External Link]] Flowspec in **junos**: > show route table inetflow.0 extensive inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 4.4.4.4,*,proto=17,srcport=53,len>=450&<=600/term:1 (1 entry, 1 announced) TSI: KRT in dfwd; Action(s): discard,count Page 0 idx 0, (group ArborSP type Internal) Type 1 val a3be258 (adv_entry) Advertised metrics: Nexthop: Self Localpref: 100 AS path: [65530] ? Communities: 65530:100 65530:134 no-export traffic-rate:0:0 Cluster ID: 192.168.252.12 Originator ID: 10.2.25.68 Advertise: 000006f7 Path 4.4.4.4,*,proto=17,srcport=53,len>=450& ---- __EXABGP NOTES__: exabgp api accepts these [[https://github.com/Exa-Networks/exabgp/wiki/Controlling-ExaBGP-:-interacting-from-the-API|commands]] which can be entered either via python swriting stdio (exabgp listents it) or directly via ''exabgpcli''. \\ Ways to start exabgp: sudo env exabgp.daemon.user=root exabgp-4.0.0/sbin/exabgp exabgp.conf sudo env exabgp.debug.configuration=1 exabgp.debug.pdb=1 exabgp.daemon.user=root exabgp-4.0.0/sbin/exabgp exabgp.conf exabgp ./exabgp.conf Links:\\ * [[https://thepacketgeek.com/exabgp/getting-started/]] * [[https://brezular.com/2020/10/01/bgp-flowspec-on-arista-veos/]] * [[https://github.com/Exa-Networks/exabgp/tree/master]] * [[https://vincent.bernat.ch/en/blog/2013-exabgp-highavailability]] * [[https://blog.sflow.com/2017/07/real-time-ddos-mitigation-using-sflow.html]] * [[https://blog.sflow.com/2017/07/bgp-flowspec-on-white-box-switch.html]] * [[https://devangnp.github.io/blog/bgp-flowspec-exabgp/]] * [[https://github.com/ancker010/exabgp-flowspec-generator/blob/master/flowspec-generator.py]] Examples of flowspec messages. They follow Juniper style 'announce route 100.10.0.0/24 next-hop self', 'announce route 200.20.0.0/24 next-hop self', 'announce flow route { match { destination 172.16.0.0/24; } then { discard; } }', \\ DDOS protection with RTBH and flowspec: [[https://drive.google.com/file/d/1jcIYvboHmFWF5FlcNQK5HXKIH1Ij91xn/view?usp=sharing|External_Link]] \\ {{:network_stuff:rtbh-and-flowspec.jpg?600|}} \\ Anycast can also be used to prevent inter-regios ddos (Cloudflare): \\ {{:network_stuff:anycast-for-ddos.jpg?300|}}