-
Notifications
You must be signed in to change notification settings - Fork 459
Actions Reference
Complete reference for all FlowSpec actions
RFC 5575 (IPv4) / RFC 8955 (IPv6) - Extended Community-based actions
- Overview
- Discard
- Rate-Limit
- Redirect to VRF
- Mark (DSCP)
- Community Tagging
- Combining Actions
- Extended Community Format
- Router Support
- Best Practices
- Common Patterns
FlowSpec actions define what to do with matched traffic.
Basic structure:
announce flow route {
match {
<conditions>
}
then {
<action>;
}
}Actions are implemented as BGP Extended Communities sent with the FlowSpec route.
Available actions:
| Action | Extended Community Type | Purpose |
|---|---|---|
discard |
traffic-action (0x8006) | Drop packets |
rate-limit |
traffic-rate (0x8006) | Limit bandwidth |
redirect |
redirect (0x8008) | Redirect to VRF |
mark |
traffic-marking (0x8009) | Remark DSCP |
community |
Standard/Extended | Tag traffic |
Drop matching packets completely
then {
discard;
}Traffic-action: terminal-action
Matching packets are immediately dropped at the router.
Characteristics:
- β Most common action for DDoS mitigation
- β Hardware-based (wire-speed performance)
- β Zero bandwidth consumption for dropped packets
β οΈ No logging of dropped packets (router-dependent)β οΈ Legitimate traffic may be affected if rule too broad
announce flow route {
match {
destination 100.10.0.100/32;
destination-port =80;
protocol =tcp;
tcp-flags [ syn ];
}
then {
discard;
}
}Result: All TCP SYN packets to 100.10.0.100:80 are dropped.
announce flow route {
match {
source-port =53;
protocol =udp;
packet-length >512;
}
then {
discard;
}
}Result: Large DNS responses (likely amplification) are dropped.
announce flow route {
match {
protocol =icmp;
}
then {
discard;
}
}Result: All ICMP packets dropped (use during ICMP flood).
- DDoS mitigation - Block attack traffic completely
- Security blocking - Block known malicious sources
- Protocol blocking - Block entire protocols during attacks
- Emergency response - Stop attack immediately
- Be specific - Avoid blocking legitimate traffic
- Monitor impact - Check if rule affects real users
- Auto-expire - Withdraw rule when attack ends
- Log announcements - Track what you're blocking
Example with logging:
import logging
logging.info(f"[DISCARD] Blocking {source_ip} to port {port}")
sys.stdout.write(f"announce flow route {{ match {{ source {source_ip}/32; }} then {{ discard; }} }}\n")
sys.stdout.flush()Limit bandwidth for matching traffic
then {
rate-limit <bytes-per-second>;
}Traffic-rate: <rate-in-bytes-per-second>
Matching packets are rate-limited to specified bandwidth.
β οΈ Implementation-Specific BehaviorRFC 5575/8955 do NOT specify whether rate-limit applies per-flow or as aggregate across all matching traffic. This is router implementation-specific:
- Some vendors apply rate-limit per individual flow (per source IP)
- Some vendors apply rate-limit as aggregate across all matching traffic
- Consult your router vendor's documentation for exact behavior
ExaBGP signals the rate-limit value to the router via BGP - the router enforces it according to its own implementation.
Characteristics:
- β Throttle traffic instead of dropping completely
- β Allows some legitimate traffic through
- β Hardware-based policing
β οΈ Excess traffic is droppedβ οΈ Behavior (per-flow vs aggregate) depends on router vendor
β οΈ IMPORTANT: Vendor Implementation DifferencesRFC 5575 specifies rate-limit values in bytes per second.
However, router vendors implement this differently:
- Juniper: Converts bytes/sec to bits/sec internally (multiplies by 8)
- Cisco: May interpret values differently depending on platform
- Other vendors: Vary in implementation
ExaBGP follows RFC 5575 and sends values as bytes per second. Your router interprets these values according to its vendor-specific implementation.
Critical: Always test rate-limit behavior on your specific router platform. The same ExaBGP value may result in different actual rates on different vendor equipment.
RFC 5575 Compliant (Bytes per Second):
# 1 MB/sec (8 Mbps) = 1,000,000 bytes/sec
rate-limit 1000000
# 10 MB/sec (80 Mbps) = 10,000,000 bytes/sec
rate-limit 10000000
# 100 MB/sec (800 Mbps) = 100,000,000 bytes/sec
rate-limit 100000000
# 1 GB/sec (8 Gbps) = 1,000,000,000 bytes/sec
rate-limit 1000000000Understanding the Values:
ExaBGP value (bytes/sec) β Router interprets per vendor implementation
RFC 5575: bytes per second
Juniper: converts to bits per second (Γ8)
Cisco: depends on platform
Conversion Reference:
- 1 Mbps (megabit/sec) = 125,000 bytes/sec
- 10 Mbps = 1,250,000 bytes/sec
- 100 Mbps = 12,500,000 bytes/sec
- 1 Gbps = 125,000,000 bytes/sec
announce flow route {
match {
destination-port =53;
protocol =udp;
}
then {
rate-limit 10000000; # 10 Mbps
}
}Result: DNS traffic limited to 10 Mbps.
announce flow route {
match {
destination-port =80;
protocol =tcp;
tcp-flags [ syn ];
}
then {
rate-limit 5000000; # 5 Mbps
}
}Result: TCP SYN packets to port 80 limited to 5 Mbps.
announce flow route {
match {
protocol =icmp;
icmp-type =8; # Echo request
}
then {
rate-limit 1000000; # 1 Mbps
}
}Result: ICMP echo requests limited to 1 Mbps.
announce flow route {
match {
source 203.0.113.0/24; # Attacker network
}
then {
rate-limit 1000000; # 1 Mbps
}
}Result: All traffic from 203.0.113.0/24 limited to 1 Mbps.
Start with rate-limiting, escalate to discard if needed:
# Step 1: Detect attack, rate-limit
announce flow route {
match { source 10.0.0.0/8; destination-port =80; }
then { rate-limit 10000000; } # 10 Mbps
}
# Step 2: If still too much traffic, tighten rate
announce flow route {
match { source 10.0.0.0/8; destination-port =80; }
then { rate-limit 1000000; } # 1 Mbps
}
# Step 3: If attack continues, block completely
announce flow route {
match { source 10.0.0.0/8; destination-port =80; }
then { discard; }
}- Proportional response - Limit before blocking
- Soft mitigation - Allow some legitimate traffic
- Protocol throttling - Slow down entire protocols
- Testing - Validate rule before full block
- Start conservative - Higher rate first, lower if needed
- Monitor bandwidth - Check actual traffic reduction
- Per-service rates - Different limits for different services
- Combine with discard - Escalate if rate-limit insufficient
Extreme Networks:
- Rate values must be multiples of 22 Kbps (22,000 bytes/sec)
- Invalid rates may be rounded or rejected
Example for Extreme:
# Bad: Not a multiple of 22 Kbps
rate-limit 1000000 # May be rejected
# Good: Multiple of 22 Kbps
rate-limit 1100000 # 8.8 Mbps (50 Γ 22 Kbps)Redirect matching traffic to a VRF (Virtual Routing and Forwarding instance)
then {
redirect <route-target>;
}Redirect: <route-target>
Matching packets are redirected to specified VRF instead of normal routing.
Characteristics:
- β Traffic sent to separate routing instance
- β Enables scrubbing center analysis
- β Allows inspection without blocking
β οΈ Requires VRF configuration on routerβ οΈ Complexity increases
# ASN:Value format
redirect 65001:100
# IP:Value format
redirect 192.168.1.1:100announce flow route {
match {
destination 100.10.0.0/24; # Attacked network
}
then {
redirect 65001:999; # Scrubbing VRF route-target
}
}Workflow:
- Suspicious traffic matched
- Redirected to VRF with route-target 65001:999
- VRF routes traffic to scrubbing appliance
- Clean traffic returned to production network
announce flow route {
match {
source 203.0.113.0/24; # Suspicious network
}
then {
redirect 65001:100; # Inspection VRF
}
}Use case: Send traffic from suspicious sources to IDS/IPS for deep inspection.
βββββββββββββββββββ
β Attack Traffic β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Edge Router β FlowSpec: redirect 65001:999
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Scrubbing VRF β Route-target 65001:999
β (VRF 999) β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Scrubbing β Analyze & clean
β Appliance β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β Clean Traffic β Return to production
β Back to Network β
βββββββββββββββββββ
- Scrubbing centers - Send attack traffic for cleaning
- IDS/IPS inspection - Deep packet inspection
- Quarantine networks - Isolate suspicious traffic
- Logging/analysis - Capture attack packets
- Pre-configure VRFs - VRF must exist before redirect
- Test redirect path - Verify traffic reaches scrubbing
- Return path - Ensure clean traffic gets back
- Monitor VRF - Check scrubbing VRF capacity
Remark DSCP field for QoS processing
then {
mark <dscp-value>;
}Traffic-marking: <dscp-value>
Matching packets have their DSCP field remarked to specified value.
Characteristics:
- β Packets marked for downstream QoS
- β Can be combined with other policies
β οΈ Doesn't drop or rate-limit trafficβ οΈ Requires downstream QoS config
| DSCP | Name | Typical Use |
|---|---|---|
| 0 | BE (Best Effort) | Default |
| 8 | CS1 | Low priority |
| 10 | AF11 | Bulk data |
| 12 | AF12 | Bulk data |
| 14 | AF13 | Bulk data |
| 26 | AF31 | Signaling |
| 34 | AF41 | Video |
| 46 | EF | Voice |
announce flow route {
match {
source 10.0.0.0/8; # Attack source
}
then {
mark 8; # CS1 (low priority)
}
}Result: Traffic from 10.0.0.0/8 marked as low priority for QoS.
announce flow route {
match {
destination-port =80;
protocol =tcp;
tcp-flags [ syn ];
packet-length >1000; # Large SYN packets (suspicious)
}
then {
mark 0; # Best effort (lowest priority)
}
}Result: Large SYN packets deprioritized by downstream QoS.
- QoS integration - Mark for downstream handling
- Prioritization - Deprioritize attack traffic
- Traffic classification - Identify specific flows
- Policy enforcement - Apply downstream policies
- Downstream QoS required - Marking alone doesn't rate-limit
- Consistent DSCP values - Align with existing QoS policy
- Combine with rate-limit - Mark + rate-limit for best control
- Monitor effectiveness - Verify QoS policies work
Tag FlowSpec routes with BGP communities
then {
community [ <community> ];
}FlowSpec route itself is tagged with communities for downstream policy decisions.
Characteristics:
- β Allows policy-based filtering
- β Enables selective route acceptance
β οΈ Doesn't affect matched traffic directlyβ οΈ Requires community-based policies
announce flow route {
match {
source 10.0.0.0/8;
}
then {
discard;
community [ 65001:666 ]; # Mark as DDoS mitigation
}
}Downstream routers can:
- Accept FlowSpec routes with community 65001:666
- Reject FlowSpec routes without this community
- Apply different policies based on community
# SYN flood
announce flow route {
match { tcp-flags [ syn ]; }
then {
discard;
community [ 65001:100 ]; # SYN flood tag
}
}
# UDP flood
announce flow route {
match { protocol =udp; packet-length >1000; }
then {
discard;
community [ 65001:200 ]; # UDP flood tag
}
}Use case: Track/filter FlowSpec rules by attack type.
- Route filtering - Control FlowSpec propagation
- Policy decisions - Apply different handling
- Tracking - Identify rule types
- Logging - Categorize mitigation actions
Multiple actions can be combined in a single rule.
announce flow route {
match {
source 10.0.0.0/8;
destination-port =80;
}
then {
rate-limit 10000000; # 10 Mbps
mark 8; # Mark as low priority
}
}Result: Traffic rate-limited AND marked for downstream QoS.
announce flow route {
match {
source 203.0.113.0/24;
}
then {
discard;
community [ 65001:666 ]; # Tag rule
}
}Result: Traffic discarded, FlowSpec route tagged.
announce flow route {
match {
destination 100.10.0.0/24;
}
then {
redirect 65001:999; # Send to scrubbing VRF
community [ 65001:100 ]; # Tag as scrubbed traffic
}
}Result: Traffic redirected to scrubbing, rule tagged for tracking.
FlowSpec actions are BGP Extended Communities in the FlowSpec route.
Type: 0x8006 (traffic-rate)
Value: <rate-in-bytes-per-second>
Type: 0x8006 (traffic-action)
Value: 0x01 (terminal-action / discard)
Type: 0x8008 (redirect)
Value: <route-target>
Type: 0x8009 (traffic-marking)
Value: <dscp-value>
Action support varies by router vendor/model.
- β Discard
- β Rate-limit
- β Redirect
β οΈ Mark (model-dependent)
- β Discard
- β Rate-limit
- β Redirect
- β Mark
- β Discard
- β Rate-limit
β οΈ Redirect (limited)β οΈ Mark (limited)
- β Discard
- β Rate-limit
- β Redirect
- β Mark
Check router documentation for specific action support.
| Situation | Recommended Action |
|---|---|
| Known attack, high confidence | discard |
| Suspected attack, testing | rate-limit |
| Need analysis | redirect |
| QoS integration | mark |
| Gradual escalation |
rate-limit β discard
|
import logging
def announce_with_logging(rule, action):
logging.info(f"[FLOWSPEC] Action={action} Rule={rule}")
sys.stdout.write(rule + "\n")
sys.stdout.flush()
rule = "announce flow route { match { source 10.0.0.0/8; } then { discard; } }"
announce_with_logging(rule, "discard")import threading
import time
def auto_withdraw(rule, timeout=300):
time.sleep(timeout)
withdraw = rule.replace('announce', 'withdraw').replace('then { discard; }', '')
sys.stdout.write(withdraw + "\n")
sys.stdout.flush()
logging.info(f"[FLOWSPEC] Auto-withdrew rule after {timeout}s")
# Announce with auto-expiry
rule = "announce flow route { match { source 10.0.0.0/8; } then { discard; } }"
sys.stdout.write(rule + "\n")
sys.stdout.flush()
threading.Thread(target=auto_withdraw, args=(rule, 300)).start()Track:
- Bandwidth before/after rule
- Number of packets matched
- False positives (legitimate traffic blocked)
- Attack duration
Tools:
- Router packet counters
- NetFlow/sFlow analysis
- SNMP monitoring
Escalation ladder:
# Level 1: Rate-limit (warning)
rate-limit 50000000 # 50 Mbps
# Level 2: Tighter rate-limit
rate-limit 10000000 # 10 Mbps
# Level 3: Very tight rate-limit
rate-limit 1000000 # 1 Mbps
# Level 4: Block completely
discardannounce flow route {
match {
source 10.0.0.0/8;
destination-port =80;
tcp-flags [ syn ];
}
then {
discard;
}
}announce flow route {
match {
destination 100.10.0.100/32;
destination-port =53;
protocol =udp;
}
then {
rate-limit 10000000; # 10 Mbps
}
}announce flow route {
match {
destination 100.10.0.0/24;
}
then {
redirect 65001:999; # Scrubbing VRF
}
}announce flow route {
match {
source 10.0.0.0/8;
}
then {
mark 8; # Low priority
}
}announce flow route {
match {
protocol =udp;
packet-length >1000;
}
then {
rate-limit 10000000;
mark 0; # Best effort
}
}- FlowSpec Overview - Introduction to FlowSpec
- Match Conditions Reference - What traffic to match
- DDoS Mitigation Guide - Complete workflow
- Text API Reference - FlowSpec commands
- API Commands - Command reference
- Quick Start - First FlowSpec rule
- Production Best Practices - Production deployment
Ready to implement DDoS mitigation? See DDoS Mitigation Guide β
π» Ghost written by Claude (Anthropic AI)
π Home
π Getting Started
π§ API
π‘οΈ Use Cases
π Address Families
βοΈ Configuration
π Operations
π Reference
- Architecture
- BGP State Machine
- Communities (RFC)
- Extended Communities
- BGP Ecosystem
- Capabilities (AFI/SAFI)
- RFC Support
π Migration
π Community
π External
- GitHub Repo β
- Slack β
- Issues β
π» Ghost written by Claude (Anthropic AI)