Large volumetric-based DDoS attacks are increasing in terms of frequency and scale at which they are perpetrated. With hundreds of-gigabits worth of attacks becoming commonplace, organizations not only face service interruptions for customers but the complete implosion of their infrastructure’s operation.
In the face of this increasingly challenging threat landscape, BGP FlowSpec DDoS mitigation has emerged as one of the most effective techniques to mitigate DDoS attacks. Combined with an accurate and speedy detection system, it helps manage and synchronize working with firewalls to mitigate these attacks.
Would you like to keep your network safe?
Try FastNetMon Full Trial for FREE 1 month.
Why is FlowSpec DDoS mitigation one of the best ways to detect DDoS?
There are several good reasons why FlowSpec has emerged as the champion technique for mitigation DDoS attacks:
FlowSpec is supported by the most popular enterprise routers, such as Cisco, Arista, Juniper, Huawei, ZTE, and Extreme.
You don’t need any special equipment to implement FlowSpec to mitigate and filter attacks in your network. All attack filtering will be done on your ISP or data centre infrastructure.
FlowSpec is the best protocol to filter out volumetric DDoS attacks. An engineer can create rules to filter out malicious traffic either manually or automatically.
FlowSpec supports special extended filtering options for TCP/UDP/ICMP. If you use UDP and TCP protocols, you can specify source and destination ports for filtering rules. You can detect and trigger mitigation rules by setting flags, such as SYN, ACK, or SYN-ACK, over TCP network protocol. Or using the ICMP flag for ICMP protocol. For all IP protocols these flags can be used:
- Avoid packet fragmentation
- Apply must-use fragmentation
- Match fragments according to descriptive flags, such as “don’t fragment,” “is fragment,” and “not fragment.”
BGP FlowSpec mitigation is effective at filtering most types of DDoS attacks, such as:
While FlowSpec mitigation is one of the most effective network defence techniques, it has specific unique characteristics that you must understand if you are to use it effectively. Chiefly, it’s not recommended to create too many or too complex rules for your network firewall. If your network has to resolve and carry out too many complicated rules simultaneously, it will decrease its efficacy across specific detection vectors.
With that in mind, what can you do to increase the possibility of detecting DDoS attacks and keep your network safe? The answer: use FastNetMon.
Why should you use FastNetMon for FlowSpec DDoS Mitigation?
First, and most importantly, FastNetMon fully supports BGP FlowSpec, leveraging it to its maximum mitigation potential. So, how does it work?
When one of your hosts (or routers) receives more traffic than it received before, FastNetMon starts to capture traffic (from 20 to 500 packets). FastNetMon then triggers a BGP FlowSpec automation using a special detection algorithm that generates a rule describing this suspicious activity with maximum coverage.
For this stage to function correctly, it’s vital to set up correct traffic thresholds to distinguish between legitimate and malicious traffic. You also need to configure thresholds to capture more malicious than legitimate traffic.
Next, FastNetMon propagates this rule to all your network routers. Accordingly, your routers will start to mitigate and implement attack filtering on malicious traffic based on the rule. The magic is that this works, even if routers don’t support FlowSpec, because FastNetMon can create rules in a JSON request, consumable by nearly all routers. You can pass on this JSON request to your DDoS detection systems. These include detection services from vendors, your proprietary systems, or notification systems.
FastNetMon supports tried-and-tested FlowSpec integration based on RFC5575 and verified with a broad spectrum of vendors. All the major vendors, such as Cisco, Arista, Juniper, Huawei, ZTE, and Extreme, have been tested and verified. So, whatever vendor you prefer to use for your network infrastructure, you’ll be assured of reliable and effective DDoS detection and mitigation using FastNetMon and FlowSpec.
What is better FlowSpec DDoS Mitigation or BGP BlackHole Mitigation?
BGP FlowSpec DDoS Mitigation shares many similarities with BGP BlackHole Mitigation, but these methods remain mutually exclusive of each other. This means you’ll have to utilize one or the other for your network DDoS mitigation at any stage of a DDoS attack.
FlowSpec DDoS Mitigation tries to catch malicious traffic and stop it at the routing stage. BGP BlackHole Mitigation blocks all traffic towards target of attack completely. As you can see, these technologies are active at different levels of the DDoS attack blocking chain.
That being said, BGP BlackHole Mitigation can be used on top of FlowSpec DDoS Mitigation as an additional mitigation layer. FlowSpec might start to capture traffic and filter it until your network’s capacity to handle the wave of traffic is maxed out. When the amount of traffic reaches critical levels, you can shift your detection system to BGP Blackhole and completely block off attacking networks.
Using this system, you can keep your network running uninterrupted, whatever the scale of the attack. If you use this combined system to detect attacks, we recommend using a BGP Diversion as last resort option for filtering out malicious traffic.
Ready to augment your FlowSpec DDoS mitigation with FastNetMon?
FastNetMon offers both techniques to mitigate DDoS attacks, combined with lightning-fast detection times of 2 seconds. Don’t just take our word for it, but try FastNetMon yourself using our free trial. If you need any help or have questions regarding setting up your network, don’t hesitate to ask our support staff for assistance.
How much does FastNetMon cost?
FastNetMon's pricing starts at $115 (USD) per month with no hidden fees. Find our full pricing schedule here. You can also try the full access trail of FastNetMon's DDoS detection with FlowSpec DDoS Mitigation capabilities for one whole month.