-
Notifications
You must be signed in to change notification settings - Fork 460
DDoS Mitigation
Thomas Mangin edited this page Nov 13, 2025
·
11 revisions
Automated DDoS protection using BGP FlowSpec
π‘οΈ ExaBGP pioneered open-source FlowSpec - enabling network-wide DDoS mitigation in seconds
- Overview
- Why FlowSpec for DDoS Mitigation?
- Architecture Patterns
- Detection Integration
- Complete Workflow
- Attack Types and Mitigation
- Implementation Guide
- Production Deployment
- Monitoring and Alerting
- Best Practices
- Troubleshooting
- Real-World Examples
DDoS mitigation with ExaBGP enables automated, network-wide traffic filtering using BGP FlowSpec.
Traditional DDoS response is slow:
- β±οΈ Detection: Minutes to identify attack
- π§ Manual intervention: SSH to routers, configure ACLs
- π Error-prone: Manual configuration mistakes
- π Slow deployment: Can't update hundreds of routers quickly
- π° Damage: Attack causes disruption before mitigation
Automated FlowSpec-based mitigation:
- β‘ Instant detection: Automated systems detect attack patterns
- π€ Automated response: ExaBGP generates FlowSpec rules via API
- π Network-wide: Rules propagate to all edge routers via BGP
- π Fast: Attack blocked in seconds (not minutes)
- β Reliable: No manual intervention required
vs. RTBH (Remote Triggered Black Hole):
- β Granular filtering: Match on ports, protocols, packet size, TCP flags
- β Surgical mitigation: Rate-limit instead of complete blackhole
- β Reduced collateral damage: Single rule vs. thousands of /32 prefixes
- β Flexible actions: Discard, rate-limit, redirect, or mark traffic
vs. On-Premises Scrubbing:
- β Upstream filtering: Traffic blocked at provider edge (before reaching your network)
- β Bandwidth savings: Attack traffic never consumes your bandwidth
- β Scalability: Leverage provider infrastructure
- β Fast convergence: BGP propagation in seconds
vs. Cloud Scrubbing Services:
- β No third-party dependency: On-premises control
- β Lower cost: No per-GB scrubbing fees
- β Lower latency: No traffic redirection
- β Privacy: Traffic stays in your network
Most common deployment:
βββββββββββββββββββββββ
β DDoS Detection β FastNetMon, custom detection
β System β
ββββββββββββ¬βββββββββββ
β Attack detected
βΌ
βββββββββββββββββββββββ
β ExaBGP β FlowSpec controller
β (Central) β Generates rules via API
ββββββββββββ¬βββββββββββ
β BGP FlowSpec UPDATE
βΌ
βββββββββββββββββββββββ
β Edge Routers β Cisco, Juniper, Arista, etc.
β (100s-1000s) β Apply filters in hardware
ββββββββββββ¬βββββββββββ
β Filtered traffic
βΌ
Attack blocked β
Characteristics:
- Single ExaBGP instance as FlowSpec controller
- Peers with route reflectors or edge routers
- Rules propagate network-wide via BGP
- Centralized logging and management
For large-scale networks:
ββββββββββββββββββ ββββββββββββββββββ
β ExaBGP ββββββββββΊβ Route β
β FlowSpec β iBGP β Reflectors β
β Controller β β β
ββββββββββββββββββ ββββββββββ¬ββββββββ
β
βββββββββββββββββΌββββββββββββββββ
βΌ βΌ βΌ
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β Edge Router β β Edge Router β β Edge Router β
β (Region A) β β (Region B) β β (Region C) β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
Benefits:
- Scalable to thousands of edge routers
- Reduced BGP session overhead
- Regional route reflectors for redundancy
- Standard BGP topology
Combine FlowSpec with scrubbing centers:
βββββββββββββββββββ
β Detection β
ββββββββββ¬βββββββββ
β
βΌ
βββββββββββββββββββ
β ExaBGP β
β Decision Logic β
ββββββββββ¬βββββββββ
β
ββββββ΄βββββββββββ
βΌ βΌ
Small Attack Large Attack
(< 1 Gbps) (> 1 Gbps)
β β
βΌ βΌ
FlowSpec FlowSpec
discard redirect to VRF
β
βΌ
ββββββββββββββββ
β Scrubbing β
β Center β
ββββββββ¬ββββββββ
β
βΌ
Clean traffic back
Use cases:
- Small attacks: Block at edge with FlowSpec
- Large volumetric attacks: Redirect to scrubbing
- Graduated response based on attack size
ExaBGP can integrate with various DDoS detection systems:
Open-Source Options:
- FastNetMon Community - High-performance DDoS detection (native ExaBGP support)
- Custom detection - Build your own using flow analysis tools
Turnkey Commercial DDoS Solutions:
- FastNetMon Advanced - Enterprise DDoS detection and mitigation platform
- Wanguard by Andrisoft - Complete DDoS protection solution with ExaBGP integration via BGP Connector
π‘ Note: Both turnkey solutions offer comprehensive DDoS protection with management interfaces, reporting, and automated mitigation workflows. Wanguard integrates with ExaBGP through its BGP Connector component, supporting RTBH, FlowSpec, and traffic scrubbing.
Flow Analysis Tools (for custom detection):
- Akvorado - Flow collector and visualizer (can feed custom detection logic)
- pmacct - Flow accounting and analysis
- nfdump/nfsen - NetFlow analysis toolkit
FastNetMon Community is an open-source DDoS detection system with native ExaBGP integration.
FastNetMon β sFlow/NetFlow β Analysis β ExaBGP API β FlowSpec
FastNetMon config (/etc/fastnetmon.conf):
# Enable ExaBGP integration
enable_ban_for_tcp_syn_flood = on
enable_ban_for_udp_flood = on
enable_ban_for_icmp_flood = on
# ExaBGP FlowSpec
exabgp = on
exabgp_flow_spec_announces = on
exabgp_command_pipe = /var/run/exabgp.cmd
# Thresholds
ban_for_pps = on
threshold_pps = 20000
ban_for_bandwidth = on
threshold_mbps = 1000ExaBGP config (/etc/exabgp/exabgp.conf):
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
family {
ipv4 flowspec;
}
api {
processes [ fastnetmon ];
}
}
process fastnetmon {
run /etc/exabgp/api/fastnetmon.py;
encoder text;
}Integration script (/etc/exabgp/api/fastnetmon.py):
#!/usr/bin/env python3
"""
FastNetMon integration for ExaBGP FlowSpec
Reads attack notifications and generates FlowSpec rules
"""
import sys
import time
import os
# Named pipe from FastNetMon
PIPE_PATH = "/var/run/exabgp.cmd"
def read_fastnetmon_commands():
"""Read FlowSpec commands from FastNetMon pipe"""
if not os.path.exists(PIPE_PATH):
os.mkfifo(PIPE_PATH)
while True:
with open(PIPE_PATH, 'r') as pipe:
for line in pipe:
command = line.strip()
if command:
# Forward to ExaBGP
sys.stdout.write(command + "\n")
sys.stdout.flush()
sys.stderr.write(f"[FASTNETMON] {command}\n")
time.sleep(2)
read_fastnetmon_commands()Build your own detection system:
#!/usr/bin/env python3
"""
Custom DDoS detection and mitigation
Analyzes traffic patterns and generates FlowSpec rules
"""
import sys
import time
import collections
from datetime import datetime
# Attack detection state
traffic_stats = collections.defaultdict(lambda: {'pps': 0, 'bps': 0})
blocked_sources = set()
# Thresholds
SYN_FLOOD_THRESHOLD = 10000 # SYN packets per second
UDP_FLOOD_THRESHOLD = 50000 # UDP packets per second
BANDWIDTH_THRESHOLD = 1000000000 # 1 Gbps
def analyze_traffic():
"""
Analyze traffic patterns (placeholder - integrate with your monitoring)
Returns: list of detected attacks
"""
# TODO: Integrate with your traffic analysis system
# Examples: sFlow collector, SNMP polling, pcap analysis
attacks = []
for source_ip, stats in traffic_stats.items():
# SYN flood detection
if stats['syn_pps'] > SYN_FLOOD_THRESHOLD:
attacks.append({
'type': 'syn_flood',
'source': source_ip,
'metric': stats['syn_pps'],
'dest_port': stats.get('dest_port', 80)
})
# UDP flood detection
if stats['udp_pps'] > UDP_FLOOD_THRESHOLD:
attacks.append({
'type': 'udp_flood',
'source': source_ip,
'metric': stats['udp_pps']
})
# Bandwidth-based detection
if stats['bps'] > BANDWIDTH_THRESHOLD:
attacks.append({
'type': 'bandwidth_flood',
'source': source_ip,
'metric': stats['bps']
})
return attacks
def mitigate_attack(attack):
"""Generate and announce FlowSpec rule"""
attack_type = attack['type']
source = attack['source']
if source in blocked_sources:
return # Already blocked
if attack_type == 'syn_flood':
dest_port = attack.get('dest_port', 80)
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; destination-port ={dest_port}; "
f"protocol =tcp; tcp-flags [ syn ]; }} "
f"then {{ rate-limit 10000000; }} "
f"}}"
)
elif attack_type == 'udp_flood':
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; protocol =udp; }} "
f"then {{ rate-limit 5000000; }} "
f"}}"
)
elif attack_type == 'bandwidth_flood':
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; }} "
f"then {{ rate-limit 1000000; }} "
f"}}"
)
else:
rule = (
f"announce flow route {{ "
f"match {{ source {source}/32; }} "
f"then {{ discard; }} "
f"}}"
)
sys.stdout.write(rule + "\n")
sys.stdout.flush()
blocked_sources.add(source)
timestamp = datetime.now().strftime('%Y-%m-%d %H:%M:%S')
sys.stderr.write(
f"[{timestamp}] Blocked {attack_type} from {source} "
f"(metric: {attack['metric']})\n"
)
# Schedule auto-withdrawal after 300 seconds
schedule_withdrawal(rule, 300)
def schedule_withdrawal(rule, timeout):
"""Auto-withdraw rule after timeout"""
import threading
def withdraw_after_timeout():
time.sleep(timeout)
withdraw = rule.replace('announce', 'withdraw')
# Remove 'then' clause for withdrawal
withdraw = withdraw.split('then')[0].rstrip() + '}'
sys.stdout.write(withdraw + "\n")
sys.stdout.flush()
sys.stderr.write(f"[AUTO-WITHDRAW] {withdraw}\n")
thread = threading.Thread(target=withdraw_after_timeout, daemon=True)
thread.start()
# Main detection loop
time.sleep(2)
sys.stderr.write("[DETECTION] Custom DDoS detection started\n")
while True:
attacks = analyze_traffic()
for attack in attacks:
mitigate_attack(attack)
time.sleep(5) # Check every 5 secondsWanguard by Andrisoft offers turnkey DDoS protection with ExaBGP integration via its BGP Connector component.
Wanguard Detection β Response System β BGP Connector β ExaBGP β Edge Routers
BGP Connector supports:
- Remote Triggered Black Hole (RTBH) - Null-route attacked destinations
- BGP FlowSpec - Granular traffic filtering at edge routers
- Traffic Scrubbing - Redirect traffic to cleaning servers
- Source RTBH - Block attacking source IPs
- Automated & Manual Control - REST API, console, or anomaly-triggered
For complete setup instructions, refer to the official Andrisoft documentation:
Wanguard BGP Connector Configuration Guide
The guide covers:
- Installing and configuring ExaBGP
- Setting up the Wanguard BGP Connector component
- Configuring pipe file paths and permissions
- Connector role selection (Mitigation or Diversion)
- Enabling BGP FlowSpec support
- Community and prefix restrictions
- Integration with Wanguard Response System
Once configured, Wanguard's detection engine automatically triggers BGP announcements via ExaBGP:
- Attack Detection - Wanguard identifies DDoS attack patterns
- Response Trigger - Response system activates mitigation
- BGP Announcement - Writes FlowSpec/RTBH rules to ExaBGP pipe
- Network-Wide Mitigation - ExaBGP propagates rules to edge routers
Mitigation can also be triggered manually via Wanguard's REST API or console interface.
- Wanguard BGP Connector Documentation - Official configuration guide
- Wanguard Product Information - Features and capabilities
- Andrisoft Support - Technical support resources
Step 1: Detection
Attack traffic β Edge routers β NetFlow/sFlow β Detection system
Detection triggers when:
- Packets per second > threshold
- Bandwidth > threshold
- Anomaly detected by ML model
- Specific attack patterns identified
Step 2: Rule Generation
# Detection system generates FlowSpec rule
rule = (
"announce flow route { "
"match { source 203.0.113.0/24; destination-port =80; protocol =tcp; } "
"then { discard; } "
"}"
)Step 3: ExaBGP Announcement
# Send to ExaBGP via API
sys.stdout.write(rule + "\n")
sys.stdout.flush()Step 4: BGP Propagation
ExaBGP β BGP UPDATE (FlowSpec) β Route Reflectors β Edge Routers
Convergence time: 1-5 seconds network-wide
Step 5: Traffic Filtering
Edge routers install FlowSpec rule in hardware (TCAM)
β Matching traffic dropped/rate-limited at wire speed
β Attack blocked β
Step 6: Auto-Withdrawal
# After attack ends (e.g., 5 minutes)
time.sleep(300)
withdraw = "withdraw flow route { match { source 203.0.113.0/24; ... } }"
sys.stdout.write(withdraw + "\n")
sys.stdout.flush()Attack: TCP SYN packets without completing handshake
Detection:
- High SYN rate to specific port
- SYN packets without corresponding ACK
Mitigation:
announce flow route {
match {
destination 100.10.0.100/32; # Target server
destination-port =80|=443; # HTTP/HTTPS
protocol =tcp;
tcp-flags [ syn ]; # SYN flag only
}
then {
rate-limit 10000000; # 10 Mbps
}
}Attack: Spoofed UDP requests to amplification servers (DNS, NTP, SSDP, etc.)
Detection:
- Large UDP responses (> 512 bytes)
- High volume from specific source ports (53, 123, 1900)
Mitigation:
# DNS amplification
announce flow route {
match {
source-port =53; # DNS responses
protocol =udp;
packet-length >512; # Large responses
}
then {
discard;
}
}
# NTP amplification
announce flow route {
match {
source-port =123; # NTP responses
protocol =udp;
packet-length >100;
}
then {
discard;
}
}
# SSDP amplification
announce flow route {
match {
source-port =1900; # SSDP
protocol =udp;
}
then {
discard;
}
}Attack: High volume of HTTP requests
Detection:
- High connection rate to web servers
- Unusual HTTP request patterns
Mitigation:
# Rate-limit HTTP traffic from attack source
announce flow route {
match {
source 10.0.0.0/8; # Attack network
destination-port =80|=443;
protocol =tcp;
}
then {
rate-limit 5000000; # 5 MB/sec (bytes/sec, RFC 5575)
}
}Attack: High volume of ICMP packets (ping flood, smurf attack)
Detection:
- High ICMP packet rate
- Large ICMP packet sizes
Mitigation:
# Block all ICMP during attack
announce flow route {
match {
protocol =icmp;
}
then {
discard;
}
}
# Or rate-limit ICMP
announce flow route {
match {
protocol =icmp;
icmp-type =8; # Echo request
}
then {
rate-limit 1000000; # 1 Mbps
}
}Attack: Malformed or excessive fragmented packets
Detection:
- High rate of fragmented packets
- Invalid fragment patterns
Mitigation:
# Block all fragmented packets
announce flow route {
match {
fragment [ is-fragment ];
}
then {
discard;
}
}Attack: High bandwidth consumption (> line capacity)
Detection:
- Total bandwidth exceeds threshold
- Traffic from specific sources/networks
Mitigation:
# Aggressive rate-limiting for attack sources
announce flow route {
match {
source 203.0.113.0/24;
}
then {
rate-limit 1000000; # 1 Mbps total
}
}
# Or redirect to scrubbing VRF
announce flow route {
match {
destination 100.10.0.0/24; # Attacked network
}
then {
redirect 65001:999; # Scrubbing VRF
}
}# Using pip
pip3 install exabgp
# Verify installation
exabgp --versionSee Installation Guide for details.
Create config (/etc/exabgp/ddos-mitigation.conf):
neighbor 192.168.1.1 {
router-id 192.168.1.2;
local-address 192.168.1.2;
local-as 65001;
peer-as 65000;
family {
ipv4 flowspec;
}
api {
processes [ ddos-controller ];
}
}
process ddos-controller {
run /etc/exabgp/api/ddos_controller.py;
encoder text;
}Basic template (/etc/exabgp/api/ddos_controller.py):
#!/usr/bin/env python3
import sys
import time
time.sleep(2)
sys.stderr.write("[DDOS] Controller started\n")
# Your detection logic here
# When attack detected, generate FlowSpec rule:
def block_attack(source_ip, attack_type):
rule = (
f"announce flow route {{ "
f"match {{ source {source_ip}/32; }} "
f"then {{ discard; }} "
f"}}"
)
sys.stdout.write(rule + "\n")
sys.stdout.flush()
sys.stderr.write(f"[DDOS] Blocked {attack_type} from {source_ip}\n")
# Main loop
while True:
# TODO: Integrate with your detection system
time.sleep(10)Cisco IOS-XR:
router bgp 65000
neighbor 192.168.1.2 remote-as 65001
!
address-family ipv4 flowspec
neighbor 192.168.1.2 activate
!
!
flowspec
local-install interface-all
!
Juniper Junos:
protocols {
bgp {
group exabgp {
type external;
peer-as 65001;
neighbor 192.168.1.2 {
family inet {
flow;
}
}
}
}
}
routing-options {
flow {
validation {
local {
enabled;
}
}
}
}
Manual test:
# Start ExaBGP
exabgp /etc/exabgp/ddos-mitigation.conf
# In another terminal, inject test rule
echo "announce flow route { match { source 10.0.0.1/32; } then { discard; } }" > /tmp/exabgp.cmdVerify on router:
# Cisco
show flowspec ipv4 summary
show flowspec ipv4 detail
# Juniper
show firewall filter __flowspec_default_inet__
Deploy redundant ExaBGP instances:
ββββββββββββββββββ ββββββββββββββββββ
β ExaBGP β β ExaBGP β
β Primary β β Secondary β
β 192.168.1.2 β β 192.168.1.3 β
ββββββββββ¬ββββββββ βββββββββ¬βββββββββ
β β
ββββββββββββββ¬βββββββββββββ
β
βΌ
βββββββββββββββββ
β Route β
β Reflectors β
βββββββββββββββββ
Both instances:
- Run same detection logic
- Announce same FlowSpec rules
- BGP handles deduplication
Log all FlowSpec announcements:
import logging
logging.basicConfig(
filename='/var/log/exabgp-ddos.log',
level=logging.INFO,
format='%(asctime)s [%(levelname)s] %(message)s'
)
def announce_flowspec(rule, reason):
sys.stdout.write(rule + "\n")
sys.stdout.flush()
logging.info(f"ANNOUNCE: {rule} - Reason: {reason}")Send alerts to NOC:
import requests
def send_alert(message, severity='high'):
"""Send alert to Slack/PagerDuty/email"""
# Slack webhook
requests.post(
"https://hooks.slack.com/services/YOUR/WEBHOOK/URL",
json={
"text": f":warning: DDoS Alert: {message}",
"username": "ExaBGP DDoS Controller"
}
)
# PagerDuty
requests.post(
"https://events.pagerduty.com/v2/enqueue",
json={
"routing_key": "YOUR_ROUTING_KEY",
"event_action": "trigger",
"payload": {
"summary": message,
"severity": severity,
"source": "ExaBGP"
}
}
)
# When blocking attack
send_alert(f"Blocking SYN flood from {source_ip} to port {port}")1. Attack Metrics:
- Number of active FlowSpec rules
- Attacks detected per hour
- Attack types distribution
- Top attack sources
2. Mitigation Metrics:
- Time to mitigation (detection β blocking)
- Bandwidth saved
- False positive rate
- Rule withdrawal time
3. System Metrics:
- ExaBGP process health
- BGP session state
- API response time
- Rule announcement latency
#!/usr/bin/env python3
"""
Monitor ExaBGP DDoS mitigation metrics
"""
import time
import subprocess
import requests
# Metrics
active_rules = 0
attacks_detected = 0
attacks_blocked = 0
def check_exabgp_health():
"""Check if ExaBGP process is running"""
try:
result = subprocess.run(
['pgrep', '-f', 'exabgp'],
capture_output=True,
timeout=5
)
return result.returncode == 0
except:
return False
def check_bgp_session():
"""Check BGP session state (example for Cisco via SNMP)"""
# TODO: Implement SNMP check or router API
pass
def export_metrics_to_prometheus():
"""Export metrics to Prometheus"""
# Expose metrics endpoint
metrics = f"""
# HELP exabgp_ddos_active_rules Number of active FlowSpec rules
# TYPE exabgp_ddos_active_rules gauge
exabgp_ddos_active_rules {active_rules}
# HELP exabgp_ddos_attacks_detected Total attacks detected
# TYPE exabgp_ddos_attacks_detected counter
exabgp_ddos_attacks_detected {attacks_detected}
# HELP exabgp_ddos_attacks_blocked Total attacks blocked
# TYPE exabgp_ddos_attacks_blocked counter
exabgp_ddos_attacks_blocked {attacks_blocked}
"""
# Write to textfile collector or push to Pushgateway
with open('/var/lib/prometheus/node-exporter/exabgp_ddos.prom', 'w') as f:
f.write(metrics)
while True:
if not check_exabgp_health():
send_alert("ExaBGP process not running!", severity='critical')
export_metrics_to_prometheus()
time.sleep(60)Start conservative, escalate if needed:
# Level 1: Rate-limit (warning)
rate_limit_1 = 50000000 # 50 Mbps
# Level 2: Tighter rate-limit
rate_limit_2 = 10000000 # 10 Mbps
# Level 3: Very tight rate-limit
rate_limit_3 = 1000000 # 1 Mbps
# Level 4: Block completely
# discardNever block critical infrastructure:
WHITELIST = [
'8.8.8.8', # Google DNS
'1.1.1.1', # Cloudflare DNS
# Add your critical IPs
]
def should_block(ip):
return ip not in WHITELISTAlways set TTL on rules:
def announce_with_ttl(rule, ttl=300):
"""Announce rule with auto-withdrawal"""
sys.stdout.write(rule + "\n")
sys.stdout.flush()
# Schedule withdrawal
threading.Timer(ttl, withdraw_rule, args=[rule]).start()Try rate-limiting first:
if attack_severity < 5:
action = f"rate-limit {bandwidth}"
else:
action = "discard"Prevent misconfigurations:
def validate_flowspec_rule(rule):
"""Validate FlowSpec syntax"""
required_keywords = ['announce', 'flow', 'route', 'match', 'then']
for keyword in required_keywords:
if keyword not in rule:
raise ValueError(f"Missing keyword: {keyword}")
# Additional validation
if 'source 0.0.0.0/0' in rule and 'discard' in rule:
raise ValueError("Refusing to blackhole entire internet!")
return TrueSymptoms: FlowSpec rules announced but not filtering traffic
Diagnosis:
# Cisco
show flowspec ipv4
show flowspec ipv4 summary
# Juniper
show firewall filter __flowspec_default_inet__
Common causes:
- FlowSpec not enabled on router
- BGP session down
- FlowSpec validation failing
- Hardware limitations (TCAM full)
Solutions:
# Enable FlowSpec
router bgp 65000
address-family ipv4 flowspec
neighbor 192.168.1.2 activate
# Enable local installation
flowspec
local-install interface-all
Symptoms: No BGP UPDATEs sent
Diagnosis:
# Check ExaBGP logs
exabgp -d /etc/exabgp/ddos.conf 2>&1 | tee exabgp.log
# Look for errors
grep ERROR exabgp.logCommon causes:
- API process not running
- Syntax error in FlowSpec rule
- stdout not flushed
Solutions:
# Always flush stdout
sys.stdout.write(rule + "\n")
sys.stdout.flush() # Critical!
# Check process is running
ps aux | grep ddos_controllerSymptoms: Legitimate traffic blocked
Diagnosis:
- Monitor user complaints
- Analyze blocked traffic patterns
- Review FlowSpec match conditions
Solutions:
- Make rules more specific
- Use rate-limiting instead of discard
- Implement whitelisting
- Adjust detection thresholds
Symptoms: Slow rule propagation (> 10 seconds)
Diagnosis:
# Measure BGP convergence time
time exabgp announce-rule.py
# Check BGP timers
show bgp neighbor 192.168.1.2Solutions:
- Reduce BGP timers (keepalive, hold-time)
- Use route reflectors for scalability
- Optimize detection script performance
Scenario: Regional ISP with 100 edge routers
Architecture:
- Central ExaBGP FlowSpec controller
- FastNetMon for detection (analyzing sFlow)
- Route reflectors for BGP scalability
Results:
- Detection to mitigation: 3 seconds average
- 50+ attacks blocked per day
- 99.9% uptime maintained
- Bandwidth savings: ~500 Gbps/month
Scenario: Enterprise with multiple data centers
Architecture:
- ExaBGP + custom Python detection
- Integration with SIEM (Splunk)
- Hybrid approach (FlowSpec + cloud scrubbing)
Attack handling:
- Small attacks (< 1 Gbps): FlowSpec at edge
- Large attacks (> 1 Gbps): Redirect to cloud scrubbing
- Auto-escalation based on attack size
Results:
- 95% of attacks handled at edge
- Scrubbing costs reduced by 70%
- No service outages in 12 months
Scenario: Hosting provider protecting customer VMs
Architecture:
- ExaBGP per customer (multi-tenant)
- Custom detection with sFlow/NetFlow analysis
- Per-customer FlowSpec rules
Features:
- Customer portal for rule visibility
- Automatic protection for all customers
- Granular per-VM filtering
Results:
- 1000+ customers protected
- Sub-second mitigation
- Customer satisfaction: 98%
- FlowSpec Overview - FlowSpec fundamentals
- Match Conditions - All match types
- Actions Reference - All actions
- Text API Reference - FlowSpec commands
- API Commands - Command reference
- API Overview - API architecture
- Debugging - Troubleshooting guide
- Monitoring - Monitoring setup
Ready to deploy DDoS mitigation? See Quick Start to begin β
π» Ghost written by Claude (Anthropic AI)
π Home
π Getting Started
π§ API
π‘οΈ Use Cases
π Address Families
βοΈ Configuration
π Operations
π Reference
- Architecture
- BGP State Machine
- Communities (RFC)
- Extended Communities
- BGP Ecosystem
- Capabilities (AFI/SAFI)
- RFC Support
π Migration
π Community
π External
- GitHub Repo β
- Slack β
- Issues β
π» Ghost written by Claude (Anthropic AI)