BGP Flow Spec support / RFC 5575 have arrived to FastNetMon!

Hello, folks!

We have added second killer feature! Since now we could block only attacker’s traffic to certain hosts in your subnet with awesome BGP Flow Spec.

Yes! We do not block whole host! We only block attackers!

We have full support for mitigation of most popular attack types:
– DNS amplification (we drop all udp traffic originating from 53 port)
– NTP amplification (we drop all udp traffic originating from 123 port)
– SSDP amplification (we drop all udp traffic originating from 1900 port)
– SNMP amplification (we drop all udp traffic originating from 161 port)

Please use this reference if you interested in this.

Please keep in mind, we deploy “reject” rules with BGP Flow Spec.

If you enable pcap capture and dpi processing you will get Flow Spec announces (in Juniper/ExaBGP format) in log file free of charge.

Here I could offer announce example for DNS amplification attack: flow route destination 10.10.11.2/32 protocol [ udp ] source-port [ =53 ] discard

So, if you are interested in hardware which could do BGP Flow Spec. Please check for Juniper, Cisco (only few models) and Alcatel Lucent boxes.

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *