Day One: Deploying BGP Flowspec

DDoS attacks are becoming increasingly prevalent on public IP networks. They have huge economic impact to the victim as well as the customers who share infrastructure with the victim. This book gives the reader the tools they need to quickly respond and mitigate DDoS attacks using BGP FlowSpec technology.

The Junos OS supports BGP FlowSpec for both IPv4 and VPNv4 route types. These routes are automatically converted into firewall filters to block attacks quickly. And that’s just the start of the book’s customization of the Junos OS to defend and protect your network’s assets from attack.

Be proactive and defend your network before something happens. Get in the lab and learn how to deploy BGP FlowSpec using the Junos OS with this practical and wellwritten book.

“Day One: Deploying BGP FlowSpec is a concise primer on identifying DDOS attacks and using BGP FlowSpec on the MX Series to defeat them.”

- Alex Latzko, Lead Network Engineer, Server Central

Sample Pages

Download Book

Day One books are a free download for our J-Net members*. If you’re not a J-Net member, create a user account now. It’s fast and there’s no commitment or spam. Once you’re a member you can come back and download any of the Day One books.

Download: J-Net Member
Download: Not a J-Net Member

* If you have an existing Juniper user account, you can use it to login to J-Net

About the Author(s)

Justin Ryburn is a Senior Systems Engineer at Juniper Networks. He has 15 years of experience in various operations, engineering, and sales engineering positions with Service Providers and vendors. Justin contributed content to Cyber Forensics (Auerbach Publishing, 2007). He holds an MBA and a MS in IT Management from Webster University in St. Louis, MO as well as numerous industry certifications.

Author Q & A

What got you started on this book?

I have presented on the topic of BGP FlowSpec before at a few industry conferences. One of the questions that kept coming up during the Q&A was: “How do I take the theory you are presenting and actually apply it in my network?” I realized there was a need for a guide that explained how to design and configure a DDoS mitigation solution based around BGP FlowSpec. I would love to see more industry adoption of BGP FlowSpec, so I decided to write this guide to help address this gap.

Who is this book for?

This book is for any network engineer that is interested in learning more about BGP FlowSpec. It will be really useful for Service Provider engineers that are trying to design and build a DDoS mitigation solution built around BGP FlowSpec. However, I believe any network engineer wanting to understand how BGP FlowSpec really works can benefit from the material in this book. The reader should have a strong understanding of how the BGP protocol works. It would also be helpful to understand Junos routing policy before reading this guide.

After reading this book, what’s the take away?

The main takeaway is that BGP FlowSpec is one of the best solutions for mitigating DDoS attacks that we as industry have. DDoS attacks are a very serious problem on public IP networks. My hope is the reader walks away from this book with a better understanding of how BGP FlowSpec can help with that problem. Ideally, they will also be armed with the knowledge to deploy this technology in their own network.

What are you hoping that people will learn from this book?

I am hoping that the reader will learn how to implement and configure BGP FlowSpec in their network. I think a lot of people are scared off by some of the complexities in BGP FlowSpec. Hopefully this book will help simplify it enough to make the reader feel comfortable with jumping in and giving it a try.

What do you recommend as the next item to read after this book?

If the readers want to know more about BGP FlowSpec in general, I suggest they read RFC5575 which includes all the gory details on FlowSpec. If they are looking more for Juniper specific implementation details, I suggest they take a look at the Technical Documentation. Also, there is a lot of work still being done by the IETF and Juniper to improve upon the current BGP FlowSpec solution. I encourage people to get involved with the IETF IDR working group and keep up with latest on where BGP Flowspec is going. There are many, many links to these sources and others within the book. Be sure to check them out.

What's your inspiration?

I spent a number of years working in the operations department for a large service provider. One of our jobs was to isolate and block DDoS attacks. This meant we got called at all hours of the day and night to troubleshoot these attacks. I remember thinking at the time, “There has to be a better way to do this.” In my opinion, BGP FlowSpec is that better way. This has inspired me to learn about and evangelize BGP FlowSpec.

While BGP FlowSpec is not a new technology, the adoption of it in public IP networks has been fairly limited to date. I have a passion for helping people understand how BGP FlowSpec can help. I am also interested in working with the industry on ways we can improve BGP FlowSpec so it can improve over time.

What’s your favorite bit/part in the book?

Personally, my favorite part of the book is Chapter 6 that describes using BGP FlowSpec to redirect traffic to a scrubbing center. I think this could be a really interesting way to mitigation application layer DDoS attacks for a lot of companies. The possibilities that type of solution opens up really excites to me.