Threat Mitigation and Tenant Flow Reporting in Flow Optimizer

April 16, 2018 Alan Sardella

Recent Enhancements in Newly-Released Flow Optimizer 2.1.1

In January, we discussed Flow Optimizer in an introductory blog. Flow Optimizer enables intelligent flow management, resource optimization, and threat mitigation. Organizations can optimize their network infrastructure through proactive monitoring, planning, and established policies that can, in turn, manage large traffic flows in an automated fashion.

Recent enhancements to Flow Optimizer include improved threat mitigation by adding BGP Remote Triggered Black Hold (RTBH) support for SLX devices, and adding tenant flow reporting for data center networks. We also added some features to ease the upgrade process from earlier releases.

DDoS Mitigation

Flow Optimizer not only detects volumetric DDoS attacks, but it mitigates them in an automated, closed-loop manner. Flow Optimizer’s detection functionality leverages sFlow, and the mitigation functionality has multiple options available:

  • Local network remediation using OpenFlow
  • Inter-domain remediation using BGP Remote Triggered Black Hole (RTBH) functionality
  • BGP Flowspec for either local or inter-domain remediation

The use of OpenFlow for local network remediation is discussed in the Flow Optimizer documentation. We’ll discuss the common inter-domain options here: RTBH and BGP Flowspec.

What is BGP RTBH?

Remotely triggering a black hole route through BGP RTBH involves advertising a BGP /32 host prefix to adjacent routers, which then discard packets destined to that host. This alleviates the congestion impact on the upstream transit link. Flow Optimizer can initiate an RTBH update, as illustrated in Figure 1.

Figure 1: Threat Mitigation Using RTBH

Upon identification of a volumetric attack, Flow Optimizer informs the trigger router in the local AS to advertise a /32 black hole route with the appropriate BGP community value. The upstream router has a policy in place to match on the community value and discard the packets destined to the /32 host. This effectively stops the attack at the upstream router, which prevents the DDoS attack from congesting the transit link and entering the local network.

As of Release 2.1.1, this support is available on SLX routers.

What is BGP Flowspec?

BGP Flowspec, first defined in RFC 5575: Dissemination of Flow Specification Rules (2009), lets you quickly mitigate the effects of a DDoS attack by using filtering and policing in protocol updates to BGP peer routers in your network and in adjacent ones. In comparison to BGP RTBH (which “black holes” packets to the /32 host victim), BGP Flowspec can advertise granular updates to match on specific Layer 3 and Layer 4 fields.  

Flow Optimizer can initiate BGP Flowspec by leveraging an open source distribution called ExaBGP. Among other advantages, ExaBGP provides network operators a cost-effective DDoS protection solution.

Figure 2: BGP Flowspec Support in Flow Optimizer  

In Figure 2, an attack enters from an upstream border router in another AS (AS# 222), and the border router is the entry point to the local AS (AS# 111). The border router peers with the upstream router, while Flow Optimizer (which includes ExaBGP), also exchanges eBGP updates with the upstream router.

On identifying a DDoS flow based on a user-configured match, a BGP Flowspec route is configured on ExaBGP to be announced to its peers. On disabling (deleting) the profile, the route is withdrawn from ExaBGP and in turn from all its peers.

Considerations for Choosing Each Option

As stated above, BGP Flowspec can match on source and destination IP addresses, protocols and ports. This granularity, which can affect many networks, is very powerful; by comparison, RTBH filters are coarser, and define blackholes that only affect the customer employing them.

Still, service providers are sometimes leery of having BGP Flowspec updates from external peers because they may not trust the marking. For this reason, unless the adjoining network is very well trusted and the filter details are shared, BGP Flowspec is often used within a single network, while RTBH is typically used between a network and its upstream networks.    

Both the value and the risks of BGP Flowspec are recognized and are being studied further, and the IETF community continues to actively update the capabilities of BGP Flowspec.

Other New Features in Flow Optimizer 2.1.1

Flow Optimizer has also introduced a new feature called Tenant Flow Reporting (TFR), which allows customers to estimate the network utilization of individual users or tenants. Traffic flows passing through monitored devices are evaluated and mapped to tenants along with respective flow utilization. The information used to identify tenants includes tenant name, IP address and VLAN ID.  

With the 2.1.1 release, Flow Optimizer also supports a rapid migration from either the 2.0.0 or the 2.1.0 releases.

Want to Learn More About Flow Optimizer?

Contact your account representative to find out more about Flow Optimizer can improve the efficiency of your network.  You can download a trial copy of Flow Optimizer here.

White papers, data sheets, and the most recent versions of Extreme software and hardware manuals are available at www.extremenetworks.com. Product documentation for all supported releases is available to registered users at www.extremenetworks.com/support/documentation.

About the Author

Alan Sardella

Alan Sardella is a Product Marketing Director at Extreme Networks, responsible for data center and cloud solutions including automation, telemetry and infrastructure. Alan has been in the networking industry for 15 years, working for a variety of vendors and open source providers, and focusing on routing, switching, and software-defined networking solutions. He worked in software development and technical training prior to that, and his academic training is in both computer science and the humanities.

More Content by Alan Sardella
Previous Article
IP Cameras, Video Surveillance, and Fabric-Based Networks
IP Cameras, Video Surveillance, and Fabric-Based Networks

How Security Surveillance Systems, a Critical Asset in Gaming Facilities and Hospitality, are Undergoing a ...

Next Article
Jasper County School District Provides an Exemplary Education to Students in Lowcountry Region of South Carolina
Jasper County School District Provides an Exemplary Education to Students in Lowcountry Region of South Carolina

In 2014, Jasper County was without Wi-Fi access in all of its four school buildings. That wasn’t the only o...