BGP FlowSpec is an another Multiptocol-BGP extension with SAFI 133. Created for the purpose of DoS and DDoS attacks mitigation, it brings a new NLRI that collects 12 types of L3 and L4 information. These information creates a flow which defines criteria used for matching DDoS parameters. For instance, a flow can match victim's IP, protocol, source or/and destination ports etc. (Picture 1).
Picture 1 - BGP FlowSpec NLRI
While flows specify matching criteria carried in FlowSpec NLRI, the actions are carried defined in Path attribute - within extended community. The action depicted on the Picture 2 drops traffic matching the criteria. However, other actions such as redirecting in different VRF, traffic rate are defined in RFC5575.
Picture 2 - Path Attribute Extended Community with Action Drop
sFlow-RT provides visibility into applications and the server and network resources. sFlow-RT analytics engine receives a continuous telemetry stream from sFlow agents that are running on network devices. The RESTflow API makes easy to configure FlowSpec connection on the sFlow-RT and control a device supporting BGP FlowSpec. It instructs sFlow-RT to send BGP UPDATE message to BGP neighbor with FlowSpec NLRI containing a flow specification and a community with an appropriate action.
The tutorial covers installation and Flow-RT on Ubuntu 18.04 and creation of a rule using RESTflow API. The rule will be exported to Arista vEOS switch as HTTP/REST call in order to mitigate DDoS DNS amplification attack. Configuration of BGP FlowSpec on Arista vEOS switch is also covered. The switch is a virtual machine with vEOS 4.22.0F supporting BGP FlowSpec.
RAM Requirements:
- Arista vEOS: 2048MB
- Ubuntu 18.04: 4192MB
- Core Linux: 256MB
Used Software:
- Host OS: Debian GNU/Linux 10 (buster)
- GNS3 2.1.21
- Qemu/KVM 3.1.0
- Vncviewer (RealVNC) -6.19.235
- Arista vEOS 4.22.0F
Network topology consisting of a virtual Arista switch and Ubuntu VM with installed sFlow-RT software is depicted on the Picture 3. sFlow-RT real-time analytics is combined with sFlow data and BGP routing information. The switch exports sFlow real-time traffic statistic to sFlow collector. Thanks to BGP daemon running on the Ubuntu, BGP path attributes can be presented in flows.
Picture 3 - Network Topology
1. sFlow-RT Instllation and Configuration on Ubuntu 18.04
Assuming that you have already installed Ubuntu 18.04, we will download and install sFlow-RT deb package.
$ https://inmon.com/products/sFlow-RT/sflow-rt_3.0-1400.deb
We use apt to install deb package as it will resolve all dependencies for us.
$ sudo apt install ./sflow-rt_3.0-1400.deb
Create a script file below in the path where sFlow-RT is installed. The IP address 10.0.0.1 is the IP of the Arista switch, the AS 65001 is AS number of the Sflow-RT BGP instance and the IP 10.0.0.2 is the address of the IP of Sflow-RT.
$ sudo su
# echo "bgpAddNeighbor("10.0.0.1","65001","10.0.0.2",{flowspec:true,flowspec6:true});" > /usr/local/sflow-rt/bgp.js
Add the following statements to the sFlow-RT configuration file.
# echo "bgp.start=yes" >> /usr/local/sflow-rt/conf.d/sflow-rt.conf
# echo "bgp.port=179" >> /usr/local/sflow-rt/conf.d/sflow-rt.conf
# echo "script.file=bgp.js" >> /usr/local/sflow-rt/conf.d/sflow-rt.conf
# exit
Start Sflow-RT binary.
$ sudo /usr/local/sflow-rt/bin/run-rt
Check sFlow-RT log file whether appliance is listening on the port 179 and web interface is started on the port 8008. The last entry confirms that a BGP session has been established with the eBGP neighbor 6500.
$ cat /usr/local/sflow-rt/log/sflow-rt0.log
Picture 4 - Checking Sflow-RT Log File
Once sFlow-RT is started we can open web browser and navigate to url below. Click the button Open REST API Explorer.
http://127.0.0.1:8008/
2. Configuration on Arista vEOS Appliance
Arista vEOS switch configuration consists of sFlow and BGP FlowSpec part. sFlow sampling rate is set to 16384 (one per 16384 packets). The configured pooling interval The switch sends sFlow data every 30 seconds (pooling interval). The sflow destination is IP address 10.0.0.2 (sFlow-RT) and the source sFlow address is IP of the management interface (10.0.0.1).
sflow sample 16384
sflow polling-interval 30
sflow destination 10.0.0.2
sflow source 10.0.0.1
Enable sflow globally.
sflow run
In order to enable BGP FlowSpec, the service protocol multi-agent must be enabled as well.
service routing protocols model multi-agent
sFlow-RT is connected to the port Management1 of the switch. Ethernet ports Eth1 and Eth2 are switchports (L2 ports).
interface Ethernet1
flow-spec ipv4 ipv6
interface Ethernet2
flow-spec ipv4 ipv6
interface Management1
ip address 10.0.0.1/24
ip routing
router bgp 65000
router-id 10.0.0.1
neighbor 10.0.0.2 remote-as 65001
neighbor 10.0.0.2 transport remote-port 179
neighbor 10.0.0.2 send-community extended
neighbor 10.0.0.2 maximum-routes 12000
address-family flow-spec ipv4
neighbor 10.0.0.2 activate
address-family flow-spec ipv6
neighbor 10.0.0.2 activate
3. sFlow Testing
The following commands issued on Arista switch (10.0.0.1) instruct the central sFlow-RT analytics engine running on host 10.0.0.2 to build a flow cache for TCP and UDP flows and log the completed flows. Enter Arista vEOS shell with the command below. The access to privileged mode is required.
Arista# bash
[admin@Arista ~]$
$ curl -H "Content-Type:application/json" -X PUT --data '{"keys":"ipsource,ipdestination,udpsourceport,udpdestinationport", "value":"bytes", "log":true}' http://10.0.0.2:8008/flow/udp/json
$ curl -H "Content-Type:application/json" -X PUT --data '{"keys":"ipsource,ipdestination,tcpsourceport,tcpdestinationport", "value":"bytes", "log":true}' http://10.0.0.2:8008/flow/tcp/json
Note: Replace PUT with DELETE if you want to delete cache.
The retrieve the flow definitions issue the command:
$ curl http://10.0.0.2:8008/flow/json
Picture 5 - Checking Flow Definition on sFlow-RT
The following command retrieves the first two flow records logged by all the flow caches.
$ curl http://10.0.0.2:8008/flows/json?maxFlows=2
Picture 6 - Checking sFlow Records
4. DNS Amplification DDoS Attack Mitigation Using BGP FlowSpec
We are going to install the rule that drop packets sent from the DNS amplifiers to the victim IP address 192.168.2.1. Those are UDP segments with the source UDP port 53. The rule can be installed from CLI or using web interface. Enter the Arista Networks EOS shell on the switch from the privileged mode with the command below.
Arista# bash
[admin@Arista ~]$
$ curl -X PUT "http://10.0.0.2:8008/bgp/flowspec/10.0.0.1/json" -H "accept: */*" -H "Content-Type: application/json" -d "{\"match\":{\"source-port\":\"53\",\"protocol\":\"17\",\"destination\":\"192.168.2.1\"},\"then\":{\"traffic-rate\":\"0\"}}"
Check if the rule is configured on the sFLOW-RT for the switch 10.0.0.1 (Picture 7).
$ curl -X GET "http://10.0.0.2:8008/bgp/flowspec/10.0.0.1/json" -H "accept: application/json"
Picture 7 - Checking FlowSpec Rule on sFLOW-RT
Note: If you want to delete the rule replace PUT with DELETE in curl command.
Now, leave EOS shell an return back to privileged mode.
[admin@Arista ~]$ exit
To check if vEOS has received and successfully installed the rule issue the command below (Picture 8).
Arista# show bgp flow-spec ipv4 detail
Picture 8 - Checking FlowSpec Rule on Arista vEOS
Although, we have enabled FlowSpec on the interfaces Ethernet1 and 2 of our Arista virtual EOS appliance, it seems that configuration is not applied to the interfaces, at all. This might be easily checked with the command show flow-spec ipv4. I assume that a virtual appliance does not fully supports FlowSpec.
Conclusion
We have successfully configured sFLOW-RT application to install the rule matching attributes of DDoS DNS amplification attack on Arista vEOS appliance. However, we cannot check whether the virtual EOS appliance really drops DDoS traffic because flowspec is not supported on the interlaces of the vEOS appliance. Please, leave your comment under article if my findings are not correct.