BGP Signaling

The article describes how MITIGATOR uses BGP for signaling upstream telecom operators or security service providers (MSSP).

Signaling Goals

When MITIGATOR works as a perimeter protection against DDoS attacks, it can independently mitigate an attack up to total incoming bandwidth. To prevent the inbound channels from being saturated, coarse filtering can be enabled at upstream telecom operators or protection service providers.

MSSP use REST API, BGP, BGP FlowSpec and closed proprietary protocols for clients’ signaling. MITIGATOR supports signaling scenarios using all of the above.

BGP Signaling Setup Example

MITIGATOR always keeps track of various system lists that can be automatically populated with prefixes according different criteria and from different sources. Lists system.policy.signaling. are created specifically for signaling purposes, however, any similar list can be used for signaling unless it is already used for other purposes. For example, let’s consider using system.policy.signaling.prefixes system list populated with prefixes from dst_prefixes field of protection policy routing rules.

To announce prefixes whose traffic needs to be cleaned, BGP connection between MITIGATOR instance and MSSP BGP speaker must be configured. MSSP BGP speaker is added as BGP neighbor of a MITIGATOR instance. If there is more than one scrubbing service, a separate BGP neighbor must be configured for each.

Neighbor’s network parameters are specified in its settings. It is recommended to set a large TTL value for IP packets, since MSSP BGP speaker may be located far away.

List system.policy.signaling.prefixes is specified in BGP neighbor’s announcement policy.

Special nexthop and community are specified according to MSSP requirements.

Auto-detection thresholds are specified for the policy, when these thresholds are exceeded, prefixes of the policy must be added to system.policy.signaling.prefixes list.

Thus, at the moment when auto-detection system registers exceeding Policy.BGP.Signaling.InputPps.On threshold, system list system.policy.signaling.prefixes is populated with policy’s prefixes. These prefixes will be sent to MSSP BGP speaker via BGP, upon receiving the list MSSP will be able to send traffic addressed to protected prefixes to its own protection mechanisms.

It is important to note that if MSSP is not configured to keep scrubbing process while high traffic rate is observed, then when the scrubbing starts on MSSP, the traffic rate in the protection policy may drop below the Policy.BGP.Signaling.InputPps.Off threshold, which will cause the prefixes to be removed from the announced list and traffic scrubbing at MSSP will stop. To minimize flapping during auto-detection thresholds tuning, it is recommended to increase the number of analyzed intervals.