BGP FlowSpec
BGP FlowSpec (RFC 5575 / RFC 8955) lets CoreDetection push targeted filters instead of blackholing an entire victim prefix. Match protocol, ports, packet length, TCP flags, and fragmentation — then drop, rate-limit, scrub (accept/nexthop), redirect (RT), or mark (DSCP) only the offending traffic.
When to use FlowSpec vs blackhole
| Scenario | Recommended |
|---|---|
| Entire prefix saturated; no granular signal | BGP blackhole (RTBH) |
| SYN flood to one host — scrubbing center available | FlowSpec accept with scrubbing nexthop |
| UDP amplification on specific src port | FlowSpec drop with port match |
| Need to cap attack volume, not kill all traffic | FlowSpec rate-limit |
| Redirect to upstream scrubbing via RT | FlowSpec redirect |
flowspec.enabled = true, confirmed attack mitigation announces FlowSpec rules instead of blackhole routes. Disable FlowSpec to return to RTBH-only behavior.Enable FlowSpec
config.ini
[flowspec]
enabled = true
default_action = drop
rate_limit_bps = 1000000000REST API (applies live — re-negotiates address family with peers)
curl -X PUT -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
-d '{"enabled":true,"default_action":"drop"}' \
http://localhost:9009/CoreDetection/api/v0/config/flowspec
curl -X POST -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/flowspec/applyAppliance Portal
Open Mitigation → FlowSpec (/flowspec) to enable FlowSpec, set default action, add manual rules, and click Apply to BGP peers. Attack auto-mitigation follows the exporter map.
Exporter map & peer-selective export
When exporter_map_enabled = true, automatic attack FlowSpec rules are exported only to the BGP neighbor mapped to the attack's NetFlow exporter (primary_exporter in webhooks). The engine tags each rule with peer-target communities and applies per-neighbor export policies in GoBGP.
| Rule source | Export scope |
|---|---|
| Attack auto-mitigation | Mapped neighbor(s) only — skipped if exporter unmapped and fallback = none |
Manual rules (/flowspec/rules) | All enabled BGP peers |
Blocklist ([blocklist]) | All enabled BGP peers |
Configure the map in BGP & Mitigation → Exporter map or [bgp_settings] — see BGP Setup.
announce_high_attacks, etc.). A LOW-severity attack will not trigger FlowSpec even when enabled.Router requirements
Peers must support BGP FlowSpec address family negotiation. Tested platforms include:
- Juniper MX / PTX / ACX (Junos)
- Cisco IOS-XR (ASR 9000, NCS)
- Nokia SR OS (7750 SR, 7250 IXR)
- Arista EOS (with FlowSpec feature enabled)
- Huawei VRP (NetEngine)
- BIRD (lab / automation)
Configure BGP sessions per BGP Setup. FlowSpec uses the same neighbors — toggling enabled triggers automatic AF re-negotiation; no service restart required.
Router-side FlowSpec configuration
Enable the FlowSpec address family on the same BGP session used for RTBH. Replace placeholders from BGP Setup → Router-side configuration.
Cisco IOS-XR
router bgp LOCAL_ASN
neighbor APPLIANCE_IP
address-family ipv4 flowspec
route-policy CD-FLOWSPEC-IN in
!
!
!
route-policy CD-FLOWSPEC-IN
pass
end-policyNokia SR OS
configure router "Base" bgp
group "COREDETECTION"
family ipv4 flowspec
exit
neighbor "APPLIANCE_IP"
family ipv4 flowspec
exit
exitHuawei VRP / NetEngine
bgp LOCAL_ASN
ipv4-flow unicast
peer APPLIANCE_IP enable
peer APPLIANCE_IP route-policy CD-FLOWSPEC-IN import
#
route-policy CD-FLOWSPEC-IN permit node 10Arista EOS
router bgp LOCAL_ASN
address-family ipv4 flowspec
neighbor CD activate
!
route-map CD-FLOWSPEC-IN permit 10Requires FlowSpec feature license on EOS. See also BGP Setup → Arista EOS for the full peer template.
Juniper Junos
set protocols bgp group COREDETECTION neighbor APPLIANCE_IP
set protocols bgp group COREDETECTION family inet-flow unicastExample rules
Automatic attack mitigation
When an attack is confirmed and FlowSpec is enabled, the engine builds rules from attack fingerprints (protocol, ports, flags) using default_action. No manual API call needed for standard mitigation.
Manual rule — drop UDP/53 amplification to victim
curl -X POST -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
-d '{"dst_prefix":"203.0.113.5","dst_prefix_len":32,"protocol":17,"src_port":53,"action":"drop","description":"DNS amp to customer"}' \
http://localhost:9009/CoreDetection/api/v0/flowspec/rulesManual rule — SYN flood to scrubbing center
curl -X POST -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
-d '{"dst_prefix":"203.0.113.5/32","protocol":6,"tcp_flags":["syn"],"action":"accept","ipv4_nexthops":["11.22.33.44"]}' \
http://localhost:9009/CoreDetection/api/v0/flowspec/rulesManual rule — redirect to scrubbing RT
curl -X POST -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
-d '{"dst_prefix":"203.0.113.5/32","action":"redirect","action_params":{"redirect_target_as":65000,"redirect_target_value":666}}' \
http://localhost:9009/CoreDetection/api/v0/flowspec/rulesList and withdraw rules
curl -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/flowspec/rules
curl -X DELETE -H "X-API-Key: YOUR_KEY" \
"http://localhost:9009/CoreDetection/api/v0/flowspec/rules?id=RULE_ID"Actions reference
| Action | Effect |
|---|---|
drop / discard | Silently discard matched traffic |
rate-limit | Cap bandwidth to rate_limit_bps |
accept | Forward to scrubbing nexthop(s) in ipv4_nexthops |
redirect | Redirect via route-target (action_params) |
mark | Set DSCP (action_params.dscp) |
Next steps
- Threat feed enforcement — IP Blocklist (requires FlowSpec)
- Full API reference — REST API
- Config keys — Configuration → BGP FlowSpec