BGP routing is used as a way of reducing DDoS attacks over networks. How does it do this, and is it an effective measure?
BGP Routing functions at the network level , and is therfore able to reroute malicious network packets to a security provider before they can reach any DNS servers or other computing resources. BGP routers can redirect any amount of high volumes of traffic to a centralized data scrubbing center / centers, used by a security provider. Usually large CDN Provider offer this kind of services.
The scrubbing center than analyzes traffic in real time and filters out malicious DDoS attack traffic using deep packet inspection, either automatically or manually with security experts mitigating. The service provider then allows healthy traffic to pass through to the AS, usually via a secure mean, like a GRE tunnel, back to orgin.
The mitigation process for a BGP DDoS attack can be broken down as follows:
• A BGP announcement is made by a security provider about an impending DDoS attack.
• BGP rules are automatically altered—instead of routing traffic based on optimal paths, BGP reroutes all incoming traffic to the security provider.
• The security provider filters out the malicious traffic and then uses a GRE tunnel to send clean traffic directly to the origin server.
this process can be done manually or automatically.
So this way BGP rerouting can mitigate direct-to-origin DDoS attacks by screening all incoming network traffic before it reaches its target.
When using a Cloud DDoS mitigation provider to protect a network, the service is connected via the BGP session.
- If a cross-connect is used, it works like any other Internet BGP uplink provided by a major upstream provider. A network will use it as an additional (or primary) uplink during attacks for any subnet it advertises in the Internet.
- If a GRE is used, a BGP session is set up inside the tunnel to allow you to control which prefixes will be advertised in the Internet via our network. It works like any other upstream connection, but instead of a physical wire, a tunnel is used.
In both cases, the DDoS mitigation provider needs full visibility only on the incoming traffic. To work, you either advertise a more specific prefix (e.g. /24), either you prepend or stop advertising the prefix to your regular upstream providers.
Filters are asymmetric, which means you can send outbound traffic through your regular upstream providers.
BGP doesn't inherently block, mitigate, or reduce DDoS attacks, it is just a protocol that can be used to redirect traffic to a service that can. You can use BGP or DNS to reroute traffic, generally speaking.
BGP typically works in a reactive fashion, where you move traffic over to a scrubbing center after an attack has been identified. A GRE Tunnel is then established to route the good traffic back to your origin servers. This may be a manual process or may involve the installation of inline detection appliances whereas DNS-based DDoS mitigation is typically 'always-on'.
To contrast the two a bit further, DDoS attack that are directed to an IP could bypass DNS, so BGP is more effective in that edge case(this isn't normal). There are steps you can take to cover that edge case with a DNS-based service though, too. It's just a little more configuration work to setup.