Services - BGP FlowSpec

BGP FlowSpec


RASCOM is offering to their customers a set of tools protecting their networks against different types of attacks and the consequences thereof. The solution is based upon employing an extension of the BGP FlowSpec protocol that allows the customer to decrease dramatically the harmful effect of the attack on its network. In addition to that, the customer is given a series of tools for blocking-out the undesired traffic from RASCOMs network in order to avoid its propagation over the customers own network: black-holing (BGP-blackhole community), on-demand control of traffic filtering at the customers interface, customers personal account for independent controlling the FlowSpec filtering rules, connecting to the BGP FlowSpec controller for automatic mode filtering, FlowSpec rules function statistics.


Technical implementation


At RASCOMs network, the protocol BGP FlowSpec (RFC5575) is fully introduced as an additional protection measure which allows to cut-off the traffic of those protocols and/or packet types that are not used at the customers network and are used in DDoS attacks.

The attacking traffic filtration is effected on the circuit and hardware resources level of RASCOMs backbone network, immediately at all our backbone routers. The traffic as specified in the rules sent over the BGP FlowSpec, is either destroyed or rate-limited. The remaining traffic (that was not shown in the BGP FlowSpec rules) will be passed unaffected.


Customers personal account


To establish filtration rules, the customer is given a WEB-interface in its personal account for those customers who have no opportunity to send the BGP FlowSpec protocol rules from their respective networks as well as for those whose network does not use BGP routing.

Along with that, in the account, statistics of using the filtration rules is available which makes it possible to estimate the efficiency of the protection measures.


BGP blackhole


As an additional measure for fighting against the attacks, a standard mechanism such as BGP blackhole community is used, as well. The BGP-Blackhole mechanism (Destination-based RTBH) is implemented using bgp-community for prefixes /32. That is, upon detecting any harmful traffic (an attack) on a host (IP-address) on the customers network, it is possible to announce over BGP to RASCOM the prefix of that host (/32) with a special blackhole-community 20764:6666, and the traffic toward the indicated host will be dropped at RASCOMs network border by all backbone routers.


Service Technical Support and ACL installation


Service Technical Support and ACL installation can be ordered by sending a message to RASCOMs NMC at: noc@rascom.ru (phone: +7-812-702-2500). It is possible to install a filter (ACL) basing upon src/dst ip/proto/port at the connecting interface.


BGP FlowSpec Service is available in every Point of Presence of RASCOMs IP network




Link to BGP FlowSpec Service Presentation



To request technical and commercial terms of providing services please contact RASCOM Sales Department: +7(812)303-91-70 or +7(495)748-11-00, or by e-mail: zapros@rascom.ru.

 





The RASCOM Company congratulates you on the 1st of May, the Day of Spring and Labour!


We wish you that your work would bring just happiness and high income.

Let all your efforts be sincere and effective, and let your leisure time be active and full of fun!

We wish you and all your close ones success and prosper!