dokucama

FLOWSPEC IN CISCO NCS5500 https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKSPG-3012.pdf

show bgp ipv4 flowspec summary    ! To see the current flowspec established sessions
!
show flowspec afi-all detail      ! To see what flowspec rules are currently applied
AFI: IPv4
Flow :Dest:25.1.102.1/32,Proto:=17,Length:>=500&<=1550
Actions :Nexthop: 25.3.9.3 (bgp.1)
Statistics (packets/bytes)
Matched : 0/0
Dropped : 0/0
!
show policy-map transient type pbr pmap-name
__bgpfs_default_IPv4
policy-map type pbr __bgpfs_default_IPv4
handle:0x36000002
table description: L3 IPv4 and IPv6
class handle:0x7600000a sequence 1024
match source-port 80
police rate 314152 bps
conform-action transmit
exceed-action drop

Vanilla configuration CSR1000v

router bgp 65000
 bgp router-id 10.10.10.1
 bgp log-neighbor-changes
 neighbor 10.10.11.143 remote-as 65000
 ! !
 address-family ipv4 flowspec
  neighbor 10.100.11.143 activate
  neighbor 10.100.11.143 send-community both
 exit-address-family
 !

---

FLOWSPEC NOTES RFC 5575

To filter (apply actions) on flows instead of penalising whole prefix ranges.
Actions to be done are transmitted via a BGP session from the controller (tells the router what to filter).SAFI 133.
More specifically, actions are encoded in EXT-COMMUNITIES

• We use exabgp to send and receive flowspec messages over the bgp connection
• In this articlewe can see how we do : flowspec-bgp-msg > acl > iptable rules
  • however it gives for granted that we know how to generate and send flowspec messages.
    • the message was sent by sFlow-RT/exabgp. More info here
• flowspec and containerlab: External Link

Flowspec in junos:

> show route table inetflow.0 extensive
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden) 4.4.4.4,*,proto=17,srcport=53,len>=450&<=600/term:1 (1 entry, 1 announced) TSI:
KRT in dfwd;
Action(s): discard,count
Page 0 idx 0, (group ArborSP type Internal) Type 1 val a3be258 (adv_entry)
Advertised metrics:
Nexthop: Self
Localpref: 100
AS path: [65530] ?
Communities: 65530:100 65530:134 no-export traffic-rate:0:0 Cluster ID: 192.168.252.12
Originator ID: 10.2.25.68 Advertise: 000006f7
Path 4.4.4.4,*,proto=17,srcport=53,len>=450&

---

EXABGP NOTES:

exabgp api accepts these commands which can be entered either via python swriting stdio (exabgp listents it) or directly via exabgpcli.
Ways to start exabgp:

sudo env exabgp.daemon.user=root exabgp-4.0.0/sbin/exabgp exabgp.conf
sudo env exabgp.debug.configuration=1 exabgp.debug.pdb=1 exabgp.daemon.user=root exabgp-4.0.0/sbin/exabgp exabgp.conf
exabgp ./exabgp.conf

Links:

• https://thepacketgeek.com/exabgp/getting-started/
• https://brezular.com/2020/10/01/bgp-flowspec-on-arista-veos/
• https://github.com/Exa-Networks/exabgp/tree/master
• https://vincent.bernat.ch/en/blog/2013-exabgp-highavailability
• https://blog.sflow.com/2017/07/real-time-ddos-mitigation-using-sflow.html
• https://blog.sflow.com/2017/07/bgp-flowspec-on-white-box-switch.html
• https://devangnp.github.io/blog/bgp-flowspec-exabgp/
• https://github.com/ancker010/exabgp-flowspec-generator/blob/master/flowspec-generator.py

Examples of flowspec messages. They follow Juniper style

'announce route 100.10.0.0/24 next-hop self',
'announce route 200.20.0.0/24 next-hop self',
'announce flow route { match { destination 172.16.0.0/24; } then { discard; } }',

DDOS protection with RTBH and flowspec: External_Link

Anycast can also be used to prevent inter-regios ddos (Cloudflare):