BGP FlowSpec for DDoS mitigation:
surgical traffic filtering at the network edge

Back to Blog

What Is BGP FlowSpec?

BGP FlowSpec (Flow Specification), defined in RFC 5575 and updated by RFC 8955, is an extension to the Border Gateway Protocol that allows you to distribute traffic filtering rules across your network using BGP update messages. Instead of announcing a route, you announce a flow rule: a combination of match criteria (source IP, destination IP, protocol, port, packet length, etc.) paired with an action (drop, rate-limit, redirect, or mark).

Think of FlowSpec as a distributed ACL (Access Control List) that propagates automatically via BGP. When you inject a FlowSpec rule on your edge router, every BGP-speaking router in the path installs the corresponding filter. This means you can deploy surgical traffic filtering at scale without logging into every router individually.

FlowSpec was designed specifically with DDoS mitigation in mind. It allows network operators to respond to attacks by filtering only the malicious traffic while allowing legitimate traffic through - a massive improvement over the all-or-nothing approach of BGP blackhole routing.

FlowSpec vs RTBH: Surgical vs Nuclear

The difference between FlowSpec and RTBH (Remotely Triggered Black Hole) routing comes down to precision. RTBH is a blunt instrument: it drops all traffic to a destination IP, including legitimate users. FlowSpec is a scalpel: it drops only the traffic that matches specific criteria.

Approach       What It Drops              Legitimate Users     Complexity
──────────────────────────────────────────────────────────────────────────
RTBH           ALL traffic to target IP   Blocked              Low
FlowSpec       Only matching flows        Unaffected           Medium
Scrubbing      Attack traffic (heuristic) Mostly unaffected    High

Consider a DNS amplification attack hitting your authoritative DNS server at 198.51.100.53. With RTBH, you blackhole 198.51.100.53 and your DNS server goes completely offline - the attacker wins. With FlowSpec, you can write a rule that drops only UDP packets from port 53 that exceed 512 bytes in length (the hallmark of DNS amplification replies), while legitimate DNS queries and responses continue to flow normally.

FlowSpec is not a replacement for RTBH. When attack volume exceeds your upstream link capacity and cannot be filtered by FlowSpec rules (because the provider does not support FlowSpec or the attack is too generic to filter surgically), RTBH remains the correct response. FlowSpec works best when the attack traffic has identifiable characteristics that distinguish it from legitimate traffic.

FlowSpec Match Criteria

A FlowSpec rule is built from one or more match components. RFC 5575 defines the following match fields for IPv4 (RFC 8956 extends these to IPv6):

• Type 1 - Destination prefix: Match packets destined for a specific IP or subnet (e.g., 198.51.100.0/24).
• Type 2 - Source prefix: Match packets originating from a specific IP or subnet.
• Type 3 - IP protocol: Match by protocol number (6 = TCP, 17 = UDP, 1 = ICMP, etc.).
• Type 4 - Port: Match on source or destination port (applies to both).
• Type 5 - Destination port: Match on destination port only.
• Type 6 - Source port: Match on source port only.
• Type 7 - ICMP type: Match specific ICMP message types.
• Type 8 - ICMP code: Match specific ICMP codes.
• Type 9 - TCP flags: Match on TCP flag combinations (SYN, ACK, RST, FIN, etc.).
• Type 10 - Packet length: Match packets within a size range (useful for amplification attacks).
• Type 11 - DSCP: Match on Differentiated Services Code Point values.
• Type 12 - Fragment: Match fragmented packets (first-fragment, last-fragment, is-fragment, dont-fragment).

These match fields can be combined. For example, you can create a rule that matches "UDP packets from source port 53, destined for 198.51.100.53/32, with a packet length greater than 512 bytes." This level of precision is what makes FlowSpec so powerful for DDoS mitigation.

FlowSpec Actions

Once traffic matches a FlowSpec rule, the router applies one of several actions encoded as extended community attributes:

• Traffic-rate (drop or rate-limit): Set a rate limit on matching traffic. Setting the rate to 0 effectively drops all matching packets. Setting it to a specific value (e.g., 1000 bytes/sec) allows limited traffic through.
• Traffic-action (terminal/sample): Control whether traffic is sampled for logging and whether evaluation continues to the next rule.
• Redirect to VRF: Redirect matching traffic to a specific VRF (Virtual Routing and Forwarding instance) for scrubbing or analysis. This is commonly used to send attack traffic to a scrubbing center.
• Traffic-marking (DSCP): Re-mark the DSCP value of matching packets. Useful for deprioritizing suspected attack traffic without dropping it outright.

When to Use FlowSpec vs RTBH vs Cloud Scrubbing

Each mitigation technique occupies a different position on the precision-vs-capacity spectrum. Choosing the right tool depends on the attack characteristics and your infrastructure.

Use FlowSpec when:

• The attack traffic has identifiable signatures (specific protocol, port, packet size, or source prefix).
• You need to keep the target IP online for legitimate users.
• Attack volume is within your upstream link capacity (FlowSpec filters at the router, so traffic still traverses the link to that point).
• Your upstream provider or peering routers support FlowSpec.
• You want automated, programmatic mitigation that deploys in seconds.

Use RTBH when:

• Attack volume exceeds your link capacity and you need traffic dropped before it reaches your network.
• The attack is too generic to filter (e.g., legitimate-looking HTTP floods from botnets).
• You can tolerate taking the target IP offline temporarily.
• Your provider does not support FlowSpec but does support blackhole communities.

Use cloud scrubbing when:

• Attack volume exceeds your upstream capacity and you cannot sacrifice the target IP.
• The attack uses application-layer techniques that require deep packet inspection.
• You need always-on protection without manual intervention.
• Budget allows for scrubbing service costs.

FlowSpec Rules in ExaBGP Format

ExaBGP is a popular open-source BGP implementation frequently used for FlowSpec injection. Below are practical rule examples for common DDoS attack types.

Example 1: Dropping a UDP Flood

A UDP flood targeting port 80 on 198.51.100.10:

# exabgp.conf — Drop UDP flood to 198.51.100.10:80
neighbor 10.0.0.1 {
    router-id 10.0.0.2;
    local-address 10.0.0.2;
    local-as 65001;
    peer-as 65000;

    flow {
        route drop-udp-flood {
            match {
                destination 198.51.100.10/32;
                protocol udp;
                destination-port =80;
            }
            then {
                rate-limit 0;
            }
        }
    }
}

Example 2: Filtering DNS Amplification

DNS amplification replies are UDP packets from source port 53 with large payloads. This rule rate-limits them to effectively zero:

# exabgp.conf — Filter DNS amplification replies
flow {
    route filter-dns-amp {
        match {
            destination 198.51.100.53/32;
            protocol udp;
            source-port =53;
            packet-length >512;
        }
        then {
            rate-limit 0;
        }
    }
}

Example 3: Mitigating SYN Flood

A SYN flood sends TCP packets with only the SYN flag set. This rule drops SYN-only packets to port 443 while allowing established connections (SYN+ACK) through:

# exabgp.conf — Drop SYN flood to port 443
flow {
    route drop-syn-flood {
        match {
            destination 198.51.100.10/32;
            protocol tcp;
            destination-port =443;
            tcp-flags [syn !ack];
        }
        then {
            rate-limit 0;
        }
    }
}

Example 4: Redirecting Suspicious Traffic to Scrubbing VRF

Instead of dropping traffic, redirect it to a VRF where a scrubbing appliance can inspect it:

# exabgp.conf — Redirect NTP amplification to scrubbing VRF
flow {
    route redirect-ntp-amp {
        match {
            destination 198.51.100.0/24;
            protocol udp;
            source-port =123;
            packet-length >468;
        }
        then {
            redirect 65000:100;
        }
    }
}

Example 5: Rate-Limiting ICMP

Limit ICMP traffic to a reasonable rate instead of dropping it entirely:

# exabgp.conf — Rate-limit ICMP to 100 Kbps
flow {
    route ratelimit-icmp {
        match {
            destination 198.51.100.0/24;
            protocol icmp;
        }
        then {
            rate-limit 12500;  # 100 Kbps in bytes/sec
        }
    }
}

Router Compatibility

FlowSpec support varies across router vendors and software implementations. Here is the current compatibility landscape:

Platform              FlowSpec Support    Notes
───────────────────────────────────────────────────────────────────
Juniper MX Series     Full (IPv4 + IPv6)  Best-in-class; redirect, rate-limit, mark
Cisco IOS-XR          Full (IPv4 + IPv6)  ASR 9000, NCS series; all actions supported
Cisco IOS-XE          Partial (IPv4)      Limited action support; no VRF redirect
Nokia SR OS           Full (IPv4 + IPv6)  7750 SR, 7950 XRS; all actions supported
Arista EOS            Partial (IPv4)      Recent releases; basic drop/rate-limit
ExaBGP                Full (controller)   Injects FlowSpec via BGP; no data-plane
GoBGP                 Full (controller)   Go-based; programmatic API for FlowSpec
BIRD                  Full (IPv4 + IPv6)  Since v2.0; commonly used on Linux routers
OpenBGPD              Partial             Limited FlowSpec support
FRRouting (FRR)       Partial             FlowSpec client; improving rapidly

How Flowtriq Implements FlowSpec

Flowtriq integrates FlowSpec as Tier 2 in its 4-level automatic escalation chain. When an attack is detected, Flowtriq does not jump straight to the nuclear option. Instead, it escalates through progressively aggressive mitigation steps:

1. Tier 1 - Host-level filtering: iptables/nftables rules deployed directly on the target node. Effective for small attacks within server capacity.
2. Tier 2 - BGP FlowSpec: Surgical filtering rules injected via BGP to upstream routers. Stops attack traffic at the network edge while keeping the target IP fully reachable for legitimate users.
3. Tier 3 - BGP blackhole (RTBH): Full blackhole of the target IP when FlowSpec cannot contain the attack (e.g., volume exceeds link capacity or traffic is too generic to filter).
4. Tier 4 - Cloud scrubbing redirect: Traffic diversion to a cloud-based scrubbing service for deep inspection and cleaning.

Automatic FlowSpec Deployment

When Flowtriq detects an attack, its classification engine identifies the attack type, protocol, source characteristics, and packet patterns. If the attack matches a FlowSpec-eligible profile (identifiable protocol, port, or packet-length signature), Flowtriq automatically generates the appropriate FlowSpec rules and injects them via its BGP adapter.

The entire process happens without human intervention:

1. Flowtriq detects the attack (1-2 seconds).
2. The attack classifier identifies the type (UDP flood, DNS amplification, SYN flood, etc.).
3. Flowtriq generates FlowSpec rules based on the attack signature.
4. Rules are injected via ExaBGP/GoBGP to your upstream routers.
5. Attack traffic is filtered at the network edge within seconds of detection.

Dashboard Configuration

FlowSpec behavior is configured through the Flowtriq dashboard under Mitigation > Auto-Escalation. You can customize:

• Escalation thresholds: Define at what PPS/BPS level Flowtriq escalates from Tier 1 to Tier 2 (FlowSpec).
• FlowSpec action: Choose between drop (rate-limit 0), rate-limit to a specific value, redirect to VRF, or DSCP marking.
• Auto-expire: Set how long FlowSpec rules persist after attack traffic subsides (default: 30 minutes).
• BGP adapter: Configure the BGP speaker (ExaBGP, GoBGP, or native router) that Flowtriq uses to inject FlowSpec rules.
• Approval mode: Optionally require human approval before FlowSpec rules are deployed (adds a confirmation step via Slack, PagerDuty, or dashboard notification).

Where FlowSpec Fits in the Escalation Chain

Flowtriq's escalation logic is threshold-based and fully configurable. Here is a typical configuration:

Attack Volume         Mitigation Tier         Action
────────────────────────────────────────────────────────────────
< 100 Kpps            Tier 1 (Host)           iptables/nftables drop rules
100 Kpps - 5 Mpps     Tier 2 (FlowSpec)       Surgical BGP FlowSpec filtering
5 Mpps - 50 Mpps      Tier 3 (RTBH)           BGP blackhole of target IP
> 50 Mpps             Tier 4 (Scrubbing)      Cloud scrubbing redirect

The escalation is bidirectional. When attack volume drops below a tier's threshold for a sustained period (configurable cooldown), Flowtriq automatically de-escalates: removing the blackhole, then removing FlowSpec rules, then removing host-level filters. This prevents stale mitigation rules from blocking traffic after an attack ends.

Smart de-escalation is just as important as fast escalation. A forgotten FlowSpec rule can silently block legitimate traffic for hours or days. Flowtriq monitors traffic continuously and removes mitigation rules when they are no longer needed, logging every action in the audit trail.

Limitations and Considerations

FlowSpec is powerful, but it is not a silver bullet. Understanding its limitations is critical for effective deployment:

• Provider support is not universal: Not all transit providers accept FlowSpec announcements from customers. Some accept only RTBH communities. Always verify FlowSpec support with your provider before building mitigation workflows around it.
• Rule limits: Routers have finite TCAM (Ternary Content-Addressable Memory) for ACL entries. Each FlowSpec rule consumes TCAM space. Providers may limit the number of FlowSpec rules a customer can inject (commonly 50-200 rules).
• No application-layer filtering: FlowSpec operates at L3/L4 only. It cannot inspect HTTP headers, TLS SNI, or payload content. Application-layer DDoS attacks (e.g., HTTP floods from botnets using legitimate-looking requests) require scrubbing or WAF solutions.
• Traffic must reach the FlowSpec-enforcing router: If attack volume exceeds the capacity of the link between you and the FlowSpec-enforcing router, the traffic still saturates that link. FlowSpec is most effective when enforced at the provider edge, upstream of your network.
• Validation rules: RFC 8955 introduced stricter validation (e.g., the originator of a FlowSpec rule should also originate the best-match unicast route for the destination prefix). Misconfigured rules may be silently rejected.
• IPv6 FlowSpec maturity: While RFC 8956 defines IPv6 FlowSpec, vendor support is less mature than IPv4. Test thoroughly in your environment before relying on IPv6 FlowSpec for production mitigation.
• Potential for false positives: Overly broad FlowSpec rules can drop legitimate traffic. Always start with narrow, specific match criteria and widen only if necessary.

Getting Started

FlowSpec transforms DDoS mitigation from an all-or-nothing blackhole into a surgical operation. Combined with Flowtriq's per-second detection and automatic escalation, FlowSpec rules deploy within seconds of attack detection - filtering only the malicious traffic while legitimate users continue uninterrupted.

To start using FlowSpec with Flowtriq, you need a BGP adapter (ExaBGP or GoBGP), a FlowSpec-capable upstream router or transit provider, and a Flowtriq node monitoring your traffic. The dashboard walks you through adapter configuration and escalation policy setup.

Get started with Flowtriq's free 7-day trial to add automated FlowSpec mitigation to your DDoS defense toolkit.

Back to Blog

Related Articles