- There are many problems concerning the flow specification.
- There are
limited options for the provider for mitigation of the DDoS attacks that take
place internally.
- These can be categorized in to three different categories:
Ø BGP
(border gateway protocol) destination black holes
Ø BGP
src/ uRP
Ø ACLS
- The
basic idea is to make use of the BGP for the distribution of the flow
specification filters.
- This helps in dynamic filtering in the routers.
- The flow
specification rules are encoded according to the BGP NLRI address family.
- The
flow spec NLRI is used by the BGP as its opaque key is used as an entry key for its
database.
- The extended communities are used for specifying the actions such as
accepting, discarding it, rate limiting, sampling, redirecting and so on.
- The
source/destination prefix and the source/destination port are matched in combinations
according to the packet size, ICMP type/co9de, fragment encoding, DSCP, TCP
flag and so on.
- For example, the TCP ports 80…90 are matched with 192.168.0/24.
- The flow specification trust model uni casts the routing advertisements for
controlling the traffic.
- Filter is considered as a hole for the traffic that is
being transmitted to some destination.
- Filter is accepted when it is advertised
for the destination by the next hop.
- Filters with various flow specifications
are available today.
- The major benefit of the flow specifications is the
filters with the fine grain specification which make it easy for deploying and
managing the BGP.
- The trust and the distribution problems are solved by the
BGP.
- ASIC filtering in routers is leveraged.
- This is another major benefit of
flow specifications.
Apart from the benefits, there are various limitations of
the flow specifications as mentioned below:
Ø There
is no update level security in the BGP.
Ø The
statistics and the application level acknowledgement are not well defined.
Ø The
flow specifications work only for those nodes for which the BGP has been
enabled.
Ø Beyond
routing the BGP payload has to be overloaded.
Ø There
are various operational issues between the security operations and the network
operations.
Ø The
threat information cannot be gathered in one place.
- The
integration of the flow specifications was announced by various security
vendors.
- The DDoS attacks are experienced by a large number of customers.
- The
DDoS attacks are now massive and have put the network infrastructure at risk
apart from the end customer.
- Congestion problems occur at both the exchange and
the backbone.
- The attacks of long durations add to the cost of bursting and
circuit congestion problems.
- Depending up on the size of the attack the POP has
to be isolated.
- VoIP is also affected.
- These attacks have negative economic
effects as the cost of the operations has been increased.
- This has led to a
degradation of the business.
- Measures such as firewall filtering and
destination BGP black-holing have proved to be insufficient in preventing the
attacks.
- These methods are slow since it is required to log-in and configuring
the devices.
- The configuration has to be constantly.
- The traffic is terminated to
some destination.
- This affects the availability.
- The black hole routes are
removed by constantly changing the configurations. - Earlier version of the flow
specifications had many bugs.
- There were some limitations on the performance.
- However, it provided arbor support for the actions of the flow specifications.
- It
does not provide multi–vendor support.
- To some extent it provides the
mitigation facility for the attack that occurred at the source.
- The collateral
damage is eliminated for both the carriers and supports the change in the
matching criteria.
