In January, we discussed Flow Optimizer in an introductory blog. Flow Optimizer enables intelligent flow management, resource optimization, and threat mitigation. Organizations can optimize their network infrastructure through proactive monitoring, planning, and established policies that can, in turn, manage large traffic flows in an automated fashion.
Recent enhancements to Flow Optimizer include improved threat mitigation by adding BGP Remote Triggered Black Hold (RTBH) support for SLX devices, and adding tenant flow reporting for data center networks. We also added some features to ease the upgrade process from earlier releases.
Flow Optimizer not only detects volumetric DDoS attacks, but it mitigates them in an automated, closed-loop manner. Flow Optimizer’s detection functionality leverages sFlow, and the mitigation functionality has multiple options available:
The use of OpenFlow for local network remediation is discussed in the Flow Optimizer documentation. We’ll discuss the common inter-domain options here: RTBH and BGP Flowspec.
Remotely triggering a black hole route through BGP RTBH involves advertising a BGP /32 host prefix to adjacent routers, which then discard packets destined to that host. This alleviates the congestion impact on the upstream transit link. Flow Optimizer can initiate an RTBH update, as illustrated in Figure 1.
Figure 1: Threat Mitigation Using RTBH
Upon identification of a volumetric attack, Flow Optimizer informs the trigger router in the local AS to advertise a /32 black hole route with the appropriate BGP community value. The upstream router has a policy in place to match on the community value and discard the packets destined to the /32 host. This effectively stops the attack at the upstream router, which prevents the DDoS attack from congesting the transit link and entering the local network.
As of Release 2.1.1, this support is available on SLX routers.
BGP Flowspec, first defined in RFC 5575: Dissemination of Flow Specification Rules (2009), lets you quickly mitigate the effects of a DDoS attack by using filtering and policing in protocol updates to BGP peer routers in your network and in adjacent ones. In comparison to BGP RTBH (which “black holes” packets to the /32 host victim), BGP Flowspec can advertise granular updates to match on specific Layer 3 and Layer 4 fields.
Flow Optimizer can initiate BGP Flowspec by leveraging an open source distribution called ExaBGP. Among other advantages, ExaBGP provides network operators a cost-effective DDoS protection solution.
Figure 2: BGP Flowspec Support in Flow Optimizer
In Figure 2, an attack enters from an upstream border router in another AS (AS# 222), and the border router is the entry point to the local AS (AS# 111). The border router peers with the upstream router, while Flow Optimizer (which includes ExaBGP), also exchanges eBGP updates with the upstream router.
On identifying a DDoS flow based on a user-configured match, a BGP Flowspec route is configured on ExaBGP to be announced to its peers. On disabling (deleting) the profile, the route is withdrawn from ExaBGP and in turn from all its peers.
As stated above, BGP Flowspec can match on source and destination IP addresses, protocols and ports. This granularity, which can affect many networks, is very powerful; by comparison, RTBH filters are coarser, and define blackholes that only affect the customer employing them.
Still, service providers are sometimes leery of having BGP Flowspec updates from external peers because they may not trust the marking. For this reason, unless the adjoining network is very well trusted and the filter details are shared, BGP Flowspec is often used within a single network, while RTBH is typically used between a network and its upstream networks.
Both the value and the risks of BGP Flowspec are recognized and are being studied further, and the IETF community continues to actively update the capabilities of BGP Flowspec.
Flow Optimizer has also introduced a new feature called Tenant Flow Reporting (TFR), which allows customers to estimate the network utilization of individual users or tenants. Traffic flows passing through monitored devices are evaluated and mapped to tenants along with respective flow utilization. The information used to identify tenants includes tenant name, IP address and VLAN ID.
With the 2.1.1 release, Flow Optimizer also supports a rapid migration from either the 2.0.0 or the 2.1.0 releases.
Contact your account representative to find out more about Flow Optimizer can improve the efficiency of your network. You can download a trial copy of Flow Optimizer here.
White papers, data sheets, and the most recent versions of Extreme software and hardware manuals are available at www.extremenetworks.com. Product documentation for all supported releases is available to registered users at www.extremenetworks.com/support/documentation.