Future of Digital Security

The Global Potential of BGP Flowspec: How Adopting The Underutilized Networking Tool Can Help Our DDoS Problem

By Sarah PowazekMichael Steckler on October 29, 2020

As distributed denial-of-service (DDoS) attacks continue to threaten our networks in increasing size and severity, a new networking innovation shows promise for DDoS mitigation.  

Currently, large ISPs are rarely severely impacted by DDoS attacks, as their resources and technical knowledge enable them to handle attacks without major service disruption. Lacking the same resources, small ISPs largely rely on using Remotely Triggered Black Holes (RTBH) to mitigate DDoS attacks. This type of service offers protection by dropping any incoming traffic sent to a client before it enters the network, but in the process it renders servers completely unreachable, leaving the client’s services unavailable until the attack stops.

BGP Flowspec, a relatively new networking tool, enables a tuneable approach to DDoS mitigation. Flowspec allows ISPs to create flow specification rules to determine how to handle malicious traffic. It gives ISPs options for whether to drop, analyze, or allow and monitor traffic as it enters the network, which enables continued service availability during an attack. When full DDoS mitigation is not possible, Flowspec can enable partial availability, which still improves upon the service blackout of the RTBH tool.

For maximum effectiveness, some anti-DDoS solutions — including BGP Flowspec — require the participation of major network operators. This is no easy feat: industry dynamics, hardware limitations, and the prevalence of aging hardware in current infrastructure contribute to a slowing adoption of newer protocols and capabilities. Other factors further hamper networking progress, including an industry skills gap, and a bias towards stability and availability over innovation. Beyond this, network operators rarely come to consensus on the use of any technology, let alone Flowspec.

Industry reluctance to jump into new networking arrangements is understandable. A recent major outage at CenturyLink (now Lumen) was caused by pushing a misconfigured Flowspec route announcement. Incidents like these underscore the importance of proper training, implementation, and maintenance of tools like Flowspec, which can only be successful with human, institutional support. That process can be a real operational burden, particularly for small ISPs, and will take dedicated effort to become economically feasible for them as well. 

To promote global Flowspec adoption, we must work to make the process feasible for small and resource-constrained ISPs. One promising example of community routing collaboration is the Unwanted Traffic Removal Service (UTRS) offered and maintained by Team Cymru, a free community tool that handles RTBH services for any network operator. Though this service is most appealing for resource-constrained ISPs, Team Cymru also encourages the participation of larger providers “to help smaller networks apply business appropriate policies to defend their assets.” 

James Shank, Chief Architect of Community Services for Team Cymru, says they plan to implement Flowspec support in UTRS v2.0, which they hope to launch in the first half of 2021. “I believe this will enable networks around the world to mitigate DDoS attacks in an efficient, targeted, and no-cost way,” says Shank, who thinks that the burdens of running a network on today’s internet are already substantial. “I hope our tools help the current network operators and the next generation of networks build access and competition in all regions of the world. Network operators should not need to pay ransoms or mitigation service providers simply for their ability to stay connected.”

Though increasing adoption of Flowspec is a difficult task, it can have a real impact on DDoS mitigation if it is prioritized in the security community and supported by business leaders. This is not just an issue for small ISPs; gaps in global efforts to block malicious traffic affect many industry players, and subsequently many internet users. The continued existence of DDoS attacks harms us all, but together, we can mitigate the damage regardless of which network is attacked. 

It is this global collaborative challenge that motivates the Institute for Security and Technology’s (IST) broader efforts to support the Infosec community in DDoS mitigation. We have been able to pinpoint many of the technical and market barriers that stand in the way of increased BGP Flowspec adoption, and IST will continue to bridge gaps in industry and government so that networking innovations can reach their full potential.