Network Setup

Requirements

aurologic DDoS-Protection stack requires the following components to be available, in order to fully function.

sflow Sampling

sflow samples must be sent for any interfaces related to protected prefixes, in order to automatically detect attacks, provide metrics about it's size and continous flow samples through API. Customers shall configure at least a sample rate of 8192 and a maximum of 32768 for both in- and egress generated samples. Default flowanalyzer sample port is 6343 (UDP).

VRF Redirection

flowShield as well as flowProxy nodes work by routing ingress traffic onto the specific filter (standalone) or filters (ECMP cluster of filters), by redirecting incoming traffic either from a internet border router on the filter(s) or towards the protected client. Typically customers run a combined edge-core setup, consisting of a single - or multiple core routers, receiving ingress traffic from it's upstream and peering partners. Customers may also directly exchange network traffic. In order to redirect that traffic partially (either for a host or subnet) onto filtering devices such as flowShield or flowProxy, customers need to isolate that traffic within a seperate VRF. At aurologic, as a standard procedure, we call that VRF 'ingress'. The ingress VRF receives traffic either from BGP Flowspec (Redirect to Route Target), which is the proposed way, or ingress policy such as firewall filter (Juniper JunOS).

Within the ingress VRF, at least two or multiple (depending on the sizing of the setup) BGP-Sessions shall be configured in order to redirect traffic either onto flowShield or flowProxy nodes. flowProxy related routes though, should represent a lower local preference than RTBH or flowShield specific routes, in order to avoid overloading flowProxy in case of heavy network related attacks. BGP-Sessions configured within the ingress VRF should be made available to flowanalyzer, e.g. by providing a seperated V-Lan tagged on the management port of the physical mitigation node.

BGP Flowspec

BGP Flowspec allows to redirect ingress traffic into a VRF by defining a route distinguisher as well as sending a route with the "Redirect to Route Target" type. flowanalyzer generates such routes whenever configured to interact with BGP Flowspec capable devices. BGP Flowspec is available on most Arista Networks devices with latest EOS software version installed, as well as on Juniper Networks Devices (except multiple QFX series) such as QFX10002 as well as to this date, all known MX series models. Several Juniper EX/QFX series models such as QFX5100/QFX5200 only support BGP Flowspec route forwarding, but do not configure the underlying hardware chipset when receiving a flowspec route. It is therefore important, that BGP Flowspec wont work on these models for traffic filtering. The reason for that is typically missing implementations of the Broadcom FPGA specific instructions, relating to limited TCAM available. Customers running such devices can still configure firewall filters on ingress with each party sending traffic in (upstream/peering/customer) in order to redirct ingress traffic into the ingress routing-instance (VRF), making DDoS-Protection work without replacing network devices.

Vendor specific setup

...tbd...

==== Arista Networks ====

==== Juniper Networks ====