Subscribe by Email

Friday, August 30, 2013

What is meant by flow specification?

- There are many problems concerning the flow specification. 
- There are limited options for the provider for mitigation of the DDoS attacks that take place internally. 
- These can be categorized in to three different categories:
Ø  BGP (border gateway protocol) destination black holes
Ø  BGP src/ uRP

- The basic idea is to make use of the BGP for the distribution of the flow specification filters. 
- This helps in dynamic filtering in the routers. 
- The flow specification rules are encoded according to the BGP NLRI address family. 
- The flow spec NLRI is used by the BGP as its opaque key is used as an entry key for its database. 
- The extended communities are used for specifying the actions such as accepting, discarding it, rate limiting, sampling, redirecting and so on. 
- The source/destination prefix and the source/destination port are matched in combinations according to the packet size, ICMP type/co9de, fragment encoding, DSCP, TCP flag and so on. 
- For example, the TCP ports 80…90 are matched with 192.168.0/24. 
- The flow specification trust model uni casts the routing advertisements for controlling the traffic. 
- Filter is considered as a hole for the traffic that is being transmitted to some destination. 
- Filter is accepted when it is advertised for the destination by the next hop. 
Filters with various flow specifications are available today.
- The major benefit of the flow specifications is the filters with the fine grain specification which make it easy for deploying and managing the BGP. 
- The trust and the distribution problems are solved by the BGP. 
- ASIC filtering in routers is leveraged. 
- This is another major benefit of flow specifications. 
Apart from the benefits, there are various limitations of the flow specifications as mentioned below:
Ø  There is no update level security in the BGP.
Ø The statistics and the application level acknowledgement are not well defined.
Ø  The flow specifications work only for those nodes for which the BGP has been enabled.
Ø  Beyond routing the BGP payload has to be overloaded.
Ø  There are various operational issues between the security operations and the network operations.
Ø  The threat information cannot be gathered in one place.

- The integration of the flow specifications was announced by various security vendors. 
- The DDoS attacks are experienced by a large number of customers. 
- The DDoS attacks are now massive and have put the network infrastructure at risk apart from the end customer. 
- Congestion problems occur at both the exchange and the backbone. 
- The attacks of long durations add to the cost of bursting and circuit congestion problems. 
- Depending up on the size of the attack the POP has to be isolated.
- VoIP is also affected. 
- These attacks have negative economic effects as the cost of the operations has been increased. 
- This has led to a degradation of the business. 
- Measures such as firewall filtering and destination BGP black-holing have proved to be insufficient in preventing the attacks. 
- These methods are slow since it is required to log-in and configuring the devices. 
- The configuration has to be constantly. 
- The traffic is terminated to some destination. 
- This affects the availability. 
- The black hole routes are removed by constantly changing the configurations. - Earlier version of the flow specifications had many bugs. 
- There were some limitations on the performance. 
- However, it provided arbor support for the actions of the flow specifications. 
It does not provide multi–vendor support. 
- To some extent it provides the mitigation facility for the attack that occurred at the source. 
- The collateral damage is eliminated for both the carriers and supports the change in the matching criteria. 

No comments:

Facebook activity