Hi,

BGP within Juniper Implementation has a address family Flow. Interestingly, this is implemented by Juniper (or atleast Documented so) much before the BGP FLOWSPEC RFC standardization. The Crux of the topic is to mitigate DDOS.

Two Main Perspectives – Proactive and Reactive (from Service Provider Perspective)

a. Customer Informing DDOS automatically to SP Through Routing Updates

b. Customer Informing DDOS and then Service Provider acting on it on their own

Juniper Documentation:

http://www.juniper.net/documentation/en_US/junos15.1/topics/example/routing-bgp-flow-specification-routes.html

Coming to the sample topology – INTERDOMAIN DDOS MITIGATION EXAMPLE

Topology

 

Requirement / ASK – Customer finds that 3.3.3.3/32 has a Massive hit for ICMP and wants to Block it temporarily while other services like TELNET should still be operative and functional.

Lets Quickly look at current state of operations at their defaults

BGP Between R1 , R2 AND R2 , R3 looks fine and ping is reachable as well as telnet, no problems there

1_vmx_bgp

Enabling Family Flow between SP routers R1 and R2 and PE-CE R2 and R3

2_bgp_flow

Enabling Flow on Customer Router  under Routing Options

3_routing_options

Advertising Route

4_advertising_routes

Lets test the Result on R1

5_view_on_r1

As we can see the ping is blocked now , you can see the communities also the protocol 1 is advertised in Inet-flow which indicates ICMP blockage

6_ping_block_telnet

Lets see the final view on R2, we can see that there is a firewall Filter automatically installed for Control plane for R1/R2/R3 on all incoming interfaces blocking the requirement

7_fw_filter_on_controlplane

 

This is an Attempt to understand Flow-Spec Feature, this is vast and has many Knobs to deal with.

 

Regards

Rakesh M

 

Advertisements