BGP within Juniper Implementation has a address family Flow. Interestingly, this is implemented by Juniper (or atleast Documented so) much before the BGP FLOWSPEC RFC standardization. The Crux of the topic is to mitigate DDOS.

Two Main Perspectives – Proactive and Reactive (from Service Provider Perspective)

a. Customer Informing DDOS automatically to SP Through Routing Updates

b. Customer Informing DDOS and then Service Provider acting on it on their own

Juniper Documentation:


Coming to the sample topology – INTERDOMAIN DDOS MITIGATION EXAMPLE



Requirement / ASK – Customer finds that has a Massive hit for ICMP and wants to Block it temporarily while other services like TELNET should still be operative and functional.

Lets Quickly look at current state of operations at their defaults

BGP Between R1 , R2 AND R2 , R3 looks fine and ping is reachable as well as telnet, no problems there


Enabling Family Flow between SP routers R1 and R2 and PE-CE R2 and R3


Enabling Flow on Customer Router  under Routing Options


Advertising Route


Lets test the Result on R1


As we can see the ping is blocked now , you can see the communities also the protocol 1 is advertised in Inet-flow which indicates ICMP blockage


Lets see the final view on R2, we can see that there is a firewall Filter automatically installed for Control plane for R1/R2/R3 on all incoming interfaces blocking the requirement



This is an Attempt to understand Flow-Spec Feature, this is vast and has many Knobs to deal with.



Rakesh M