Targeted traffic filtering with operator-defined Flow Spec rules
BGP Flow Spec is a network-layer mitigation technique that allows operators to filter malicious traffic without fully blackholing affected prefixes. Instead of dropping all traffic to a destination, Flow Spec enables precise filtering based on protocol attributes such as IP addresses, ports, and TCP flags.
FastNetMon uses BGP Flow Spec as a controlled, rule-based mitigation mechanism tightly integrated with real-time DDoS detection. Engineers define the detection thresholds and mitigation logic in advance, and FastNetMon applies Flow Spec rules automatically when those conditions are met.
Why BGP Flow Spec is effective for DDoS mitigation
BGP Flow Spec has become a core mitigation tool in ISP, telco, and large enterprise networks because it allows traffic filtering to be enforced directly on routers using standard BGP signalling. This removes the need for specialised mitigation hardware while keeping enforcement close to the traffic source.
By matching traffic on protocol-level attributes—such as source and destination addresses, transport ports, and TCP or ICMP flags—Flow Spec enables operators to suppress malicious flows while allowing legitimate traffic to continue. This makes it particularly effective in high-volume environments where precision matters and full blackholing would be too disruptive.
How FastNetMon applies Flow Spec rules
FastNetMon continuously analyses live network traffic and detects anomalies based on operator-defined thresholds. When traffic for a host or network exceeds expected behaviour, FastNetMon captures representative traffic samples and classifies the attack pattern.
Using this data, FastNetMon can automatically generate Flow Spec rules that describe the malicious traffic characteristics observed. These rules are derived from real traffic and designed to maximise attack coverage while minimising the impact on legitimate flows.
Once generated, Flow Spec rules are propagated to routers using BGP and enforced at the network layer. Engineers remain fully in control of which attacks should trigger Flow Spec, how rules are constructed, and when mitigation should be applied or withdrawn.
FastNetMon acts as the control plane for this process—it does not enforce a fixed mitigation model or hide decision-making logic.
Full Flow Spec mitigation lifecycle
FastNetMon supports the complete lifecycle of Flow Spec-based mitigation:
- Detection – Identify abnormal traffic patterns in near real time
- Rule creation – Generate Flow Spec rules matching observed attack characteristics
- Distribution – Propagate rules to routers via BGP
- Enforcement – Filter malicious traffic directly on routers at line rate
- Withdrawal – Automatically remove rules when the attack subsides
This ensures that Flow Spec rules remain temporary, accurate, and aligned with current network conditions, without requiring manual cleanup.
Supported attack types
Flow Spec mitigation with FastNetMon is commonly used to mitigate:
- TCP flood attacks
- UDP floods and amplification attacks
- DNS, SSDP, SNMP, and Memcached reflection attacks
- GRE and other protocol-specific floods
- Attacks identifiable by TCP flags such as SYN, ACK, or SYN-ACK
- ICMP-based floods and fragment-related attack patterns
Flow Spec supports fragment matching, allowing operators to address attacks that exploit IP fragmentation behaviour.
Flow Spec and BGP Blackhole: complementary techniques
Flow Spec and BGP Blackhole mitigation serve different purposes and are often combined as part of a layered defence strategy.
Flow Spec is designed to filter specific malicious traffic patterns while preserving legitimate traffic. BGP Blackhole mitigation, by contrast, drops all traffic to a destination, including legitimate flows.
In practice, Flow Spec is typically used first to contain attacks with precision. If traffic volume continues to grow beyond what the network can safely handle, operators may escalate to BGP blackholing as a last-resort containment measure. FastNetMon supports both approaches and allows engineers to define escalation logic explicitly.
Standards-based and vendor-neutral
FastNetMon implements BGP Flow Spec in accordance with RFC 5575 and has been tested across a wide range of routing platforms, including Cisco, Juniper, Arista, Nokia, Huawei, Extreme, and others.
For environments where Flow Spec enforcement is handled externally, FastNetMon can also export rule data in structured formats for consumption by third-party mitigation systems, custom tooling, or notification pipelines.
Part of a broader DDoS mitigation stack
Flow Spec mitigation with FastNetMon integrates seamlessly with the platform’s other capabilities, including real-time DDoS detection and traffic visibility, BGP Blackhole (RTBH) automation, scrubbing centre diversion, blocklist-based filtering, and API-driven integrations with external systems.
Together, these components allow operators to build deterministic, scalable DDoS defence strategies tailored to their own networks and operational practices.