Overview of BGP Flow Specification

The device configured with BGP Flow Specification sent a BGP Flow Specification route carrying a filtering rule to BGP Flow Specification peers so that the traffic that consumes a lot of network resources or aims to attack servers can be filtered or controlled on the peers.

Definition

BGP Flow Specification is used to protect the device against denial-of-service (DoS) and distributed DoS (DDoS) attacks.

Purpose

DoS and DDoS attacks pose a grave threat to network security. An attacker can control thousands of devices to attack the same destination address, network segment, or a server. Such attacks cause network congestion and can even cause a server to fail to provide services due to excessive CPU usage.

Traditionally, there are two techniques for protecting the system against DoS or DDoS attacks: traffic classification and traffic redirection. However, the techniques have defects, as listed in Table 1.

**Table 1** Defects of traffic classification and traffic redirection
Preventative Technique	Technique Description	Defects
Traffic classification	Traffic filtering rules and quality of service (QoS) policies are configured to reduce DoS and DDoS attacks on the network.	The technique has the following defects: Difficult to ensure real-time deployment of traffic policies. To reduce DoS and DDoS attacks, coordination among network service providers is necessary to identify attack sources. Difficult to maintain traffic policies. Network administrators need to frequently modify traffic policies based on the characteristics of attack traffic.
Traffic redirection	The next hop of the route destined for the attack target is modified based on a routing policy. The next hop of the route is set to a blackhole, and attack traffic is discarded. The next hop of the route is set to a specified device responsible for filtering traffic to ensure proper processing of service traffic.	The technique has the following defects: The traffic filtering rule is simplistic. Only destination addresses can be used as a basis for traffic filtering. Traffic filtering information and routing information are transmitted together, which complicates maintenance.

BGP Flow Specification helps correct the preceding defects:

Improves information maintainability using BGP Network Layer Reachability Information (NLRI) defined in standard protocols to transmit traffic filtering information. This ensures separate transmission of traffic filtering information and routing information.
Allows more specific traffic filtering rules using various if-match clauses.

BGP Flow Specification supports BGP public-network Flow Specification, BGP VPN Flow Specification, and BGP VPNv4 Flow Specification. Table 2 lists their differences.

**Table 2** Comparison among BGP public-network Flow Specification, BGP VPN Flow Specification, and BGP VPNv4 Flow Specification
BGP Flow Specification	Usage Scenario	Address Family
BGP public-network Flow Specification	Applies to public-network scenarios.	BGP-Flow address family, BGP-IPv6-Flow address family
BGP VPN Flow Specification	Applies to VPN scenarios where BGP Flow Specification routes are not transmitted over the public network between VPNs.	BGP-Flow VPN instance IPv4 address family, BGP-Flow VPN instance IPv6 address family
BGP VPNv4 Flow Specification	Applies to VPN scenarios where BGP Flow Specification routes are transmitted over the public network between VPNs.	BGP-Flow VPN instance IPv4 address family and BGP-Flow VPNv4 address family

Benefits

BGP Flow Specification offers the following benefits:

Monitors the network in real time: Traffic is sampled periodically, and a specified action is taken immediately to block attack traffic.
Offers attack prevention defense: Traffic policies are configured manually based on common characteristics of attack traffic.
Lowers the cost: A traffic policy does not need to be created on all devices, which improves maintainability at lower cost.
Minimizes the attack scope: BGP Flow Specification routes can be transmitted between autonomous systems (ASs) so that attack traffic can be filtered out or controlled on devices nearest to attack sources.