Starting with IRP 4.1, a new feature called Threat Mitigation is added to the platform. It incorporates the statistics collection as well as the blackholing mechanism, present in the previous product versions, nevertheless offering a fully automated threshold-based threat mitigation instrument that introduces Flowspec in addition to the RTBH.
RTBH feature allows redirection of traffic to a non-existent resource (a so-called black hole), or the blocking of the unwanted traffic in a provider’s network to prevent such traffic from entering the user’s network.Threat Mitigation can operate in the following modes:
- Automated IRP performs a particular threat mitigation action automatically when an attack is detected
- Moderated stands for manual confirmation of the Threat Mitigation action. Once IRP detects an attack, a suggestion to enable the mitigation rule gets displayed in the GMI interface. IRP does not perform any actions without user confirmation. If the action is not enabled in time before a subsequent cycle of checks, IRP reviews the proposal and adjusts it as needed, keeping the recommendation, making a different one, or removing it altogether
- Manual Allows to set up only manual threat mitigation rules
- Disabled IRP does not perform any threat mitigation actions.
The Threat Mitigation feature is based on threshold rules set by IRP users. In the context of DoS/DDoS attack detection, threshold values refer to the rate of kilo packets or megabits per second. Specifically, a detection threshold represents the rate at which an IRP instance raises an alert for an attack and takes appropriate action as per the predefined rule. For instance, if the Flowspec rule threshold is set to 80 kilo packets per second, an alert will be generated once incoming packets flow towards a destination exceeds this bound and the consecutive Flowspec action gets triggered. Hence, indicating an appropriate detection threshold value in rules is critical to providing an efficacious response to DoS threats while reducing false alerts.
FlowSpec mitigation method can be chosen to filter out smaller attacks while the Remote Triggered Blackhole should be sent to providers to block large volume attacks.
1.2.24.1 Configuring Blackholing #
A Provider in IRP should be configured before it could be used for blackholing.
IRP should know next-hop (bgpd.peer.X.blackholing.ipv4.next_hop,bgpd.peer.X.blackholing.ipv6.next_hop), localpref (bgpd.peer.X.blackholing.localpref) and community (peer.X.blackholing.community) values to be able to send a route to a user’s network.
A user’s router is responsible to distinguish communities sent by an IRP instance and advertise blackholing routes to a provider’s router used to receive such routes.
1.2.24.2 Configuring FlowSpec #
FlowSpec feature should be enabled globally in global.flowspec then for each BGP session in bgpd.peer.X.flowspec.
