Friday, August 30, 2013
- There are many problems concerning the flow specification.
- There are limited options for the provider for mitigation of the DDoS attacks that take place internally.
- These can be categorized in to three different categories:
Ø BGP (border gateway protocol) destination black holes
Ø BGP src/ uRP
- The basic idea is to make use of the BGP for the distribution of the flow specification filters.
- This helps in dynamic filtering in the routers.
- The flow specification rules are encoded according to the BGP NLRI address family.
- The flow spec NLRI is used by the BGP as its opaque key is used as an entry key for its database.
- The extended communities are used for specifying the actions such as accepting, discarding it, rate limiting, sampling, redirecting and so on.
- The source/destination prefix and the source/destination port are matched in combinations according to the packet size, ICMP type/co9de, fragment encoding, DSCP, TCP flag and so on.
- For example, the TCP ports 80…90 are matched with 192.168.0/24.
- The flow specification trust model uni casts the routing advertisements for controlling the traffic.
- Filter is considered as a hole for the traffic that is being transmitted to some destination.
- Filter is accepted when it is advertised for the destination by the next hop.
- Filters with various flow specifications are available today.
- The major benefit of the flow specifications is the filters with the fine grain specification which make it easy for deploying and managing the BGP.
- The trust and the distribution problems are solved by the BGP.
- ASIC filtering in routers is leveraged.
- This is another major benefit of flow specifications.
Apart from the benefits, there are various limitations of the flow specifications as mentioned below:
Ø There is no update level security in the BGP.
Ø The statistics and the application level acknowledgement are not well defined.
Ø The flow specifications work only for those nodes for which the BGP has been enabled.
Ø Beyond routing the BGP payload has to be overloaded.
Ø There are various operational issues between the security operations and the network operations.
Ø The threat information cannot be gathered in one place.
- The integration of the flow specifications was announced by various security vendors.
- The DDoS attacks are experienced by a large number of customers.
- The DDoS attacks are now massive and have put the network infrastructure at risk apart from the end customer.
- Congestion problems occur at both the exchange and the backbone.
- The attacks of long durations add to the cost of bursting and circuit congestion problems.
- Depending up on the size of the attack the POP has to be isolated.
- VoIP is also affected.
- These attacks have negative economic effects as the cost of the operations has been increased.
- This has led to a degradation of the business.
- Measures such as firewall filtering and destination BGP black-holing have proved to be insufficient in preventing the attacks.
- These methods are slow since it is required to log-in and configuring the devices.
- The configuration has to be constantly.
- The traffic is terminated to some destination.
- This affects the availability.
- The black hole routes are removed by constantly changing the configurations. - Earlier version of the flow specifications had many bugs.
- There were some limitations on the performance.
- However, it provided arbor support for the actions of the flow specifications.
- It does not provide multi–vendor support.
- To some extent it provides the mitigation facility for the attack that occurred at the source.
- The collateral damage is eliminated for both the carriers and supports the change in the matching criteria.