Operating

BGP FlowSpec

BGP FlowSpec (RFC 5575 / RFC 8955) lets CoreDetection push targeted filters instead of blackholing an entire victim prefix. Match protocol, ports, packet length, TCP flags, and fragmentation — then drop, rate-limit, scrub (accept/nexthop), redirect (RT), or mark (DSCP) only the offending traffic.

When to use FlowSpec vs blackhole

ScenarioRecommended
Entire prefix saturated; no granular signalBGP blackhole (RTBH)
SYN flood to one host — scrubbing center availableFlowSpec accept with scrubbing nexthop
UDP amplification on specific src portFlowSpec drop with port match
Need to cap attack volume, not kill all trafficFlowSpec rate-limit
Redirect to upstream scrubbing via RTFlowSpec redirect
When flowspec.enabled = true, confirmed attack mitigation announces FlowSpec rules instead of blackhole routes. Disable FlowSpec to return to RTBH-only behavior.

Enable FlowSpec

config.ini

[flowspec]
enabled = true
default_action = drop
rate_limit_bps = 1000000000

REST API (applies live — re-negotiates address family with peers)

curl -X PUT -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
  -d '{"enabled":true,"default_action":"drop"}' \
  http://localhost:9009/CoreDetection/api/v0/config/flowspec

curl -X POST -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/flowspec/apply

Appliance Portal

Open Mitigation → FlowSpec (/flowspec) to enable FlowSpec, set default action, add manual rules, and click Apply to BGP peers. Attack auto-mitigation follows the exporter map.

Exporter map & peer-selective export

When exporter_map_enabled = true, automatic attack FlowSpec rules are exported only to the BGP neighbor mapped to the attack's NetFlow exporter (primary_exporter in webhooks). The engine tags each rule with peer-target communities and applies per-neighbor export policies in GoBGP.

Rule sourceExport scope
Attack auto-mitigationMapped neighbor(s) only — skipped if exporter unmapped and fallback = none
Manual rules (/flowspec/rules)All enabled BGP peers
Blocklist ([blocklist])All enabled BGP peers

Configure the map in BGP & Mitigation → Exporter map or [bgp_settings] — see BGP Setup.

FlowSpec still respects announce gates (announce_high_attacks, etc.). A LOW-severity attack will not trigger FlowSpec even when enabled.

Router requirements

Peers must support BGP FlowSpec address family negotiation. Tested platforms include:

  • Juniper MX / PTX / ACX (Junos)
  • Cisco IOS-XR (ASR 9000, NCS)
  • Nokia SR OS (7750 SR, 7250 IXR)
  • Arista EOS (with FlowSpec feature enabled)
  • Huawei VRP (NetEngine)
  • BIRD (lab / automation)

Configure BGP sessions per BGP Setup. FlowSpec uses the same neighbors — toggling enabled triggers automatic AF re-negotiation; no service restart required.

Router-side FlowSpec configuration

Enable the FlowSpec address family on the same BGP session used for RTBH. Replace placeholders from BGP Setup → Router-side configuration.

Cisco IOS-XR

router bgp LOCAL_ASN
 neighbor APPLIANCE_IP
  address-family ipv4 flowspec
   route-policy CD-FLOWSPEC-IN in
  !
 !
!
route-policy CD-FLOWSPEC-IN
  pass
end-policy

Nokia SR OS

configure router "Base" bgp
    group "COREDETECTION"
        family ipv4 flowspec
    exit
    neighbor "APPLIANCE_IP"
        family ipv4 flowspec
    exit
exit

Huawei VRP / NetEngine

bgp LOCAL_ASN
 ipv4-flow unicast
  peer APPLIANCE_IP enable
  peer APPLIANCE_IP route-policy CD-FLOWSPEC-IN import
#
route-policy CD-FLOWSPEC-IN permit node 10

Arista EOS

router bgp LOCAL_ASN
   address-family ipv4 flowspec
      neighbor CD activate
!
route-map CD-FLOWSPEC-IN permit 10

Requires FlowSpec feature license on EOS. See also BGP Setup → Arista EOS for the full peer template.

Juniper Junos

set protocols bgp group COREDETECTION neighbor APPLIANCE_IP
set protocols bgp group COREDETECTION family inet-flow unicast

Example rules

Automatic attack mitigation

When an attack is confirmed and FlowSpec is enabled, the engine builds rules from attack fingerprints (protocol, ports, flags) using default_action. No manual API call needed for standard mitigation.

Manual rule — drop UDP/53 amplification to victim

curl -X POST -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
  -d '{"dst_prefix":"203.0.113.5","dst_prefix_len":32,"protocol":17,"src_port":53,"action":"drop","description":"DNS amp to customer"}' \
  http://localhost:9009/CoreDetection/api/v0/flowspec/rules

Manual rule — SYN flood to scrubbing center

curl -X POST -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
  -d '{"dst_prefix":"203.0.113.5/32","protocol":6,"tcp_flags":["syn"],"action":"accept","ipv4_nexthops":["11.22.33.44"]}' \
  http://localhost:9009/CoreDetection/api/v0/flowspec/rules

Manual rule — redirect to scrubbing RT

curl -X POST -H "X-API-Key: YOUR_KEY" -H "Content-Type: application/json" \
  -d '{"dst_prefix":"203.0.113.5/32","action":"redirect","action_params":{"redirect_target_as":65000,"redirect_target_value":666}}' \
  http://localhost:9009/CoreDetection/api/v0/flowspec/rules

List and withdraw rules

curl -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/flowspec/rules

curl -X DELETE -H "X-API-Key: YOUR_KEY" \
  "http://localhost:9009/CoreDetection/api/v0/flowspec/rules?id=RULE_ID"

Actions reference

ActionEffect
drop / discardSilently discard matched traffic
rate-limitCap bandwidth to rate_limit_bps
acceptForward to scrubbing nexthop(s) in ipv4_nexthops
redirectRedirect via route-target (action_params)
markSet DSCP (action_params.dscp)

Next steps