How to deploy BGP FlowSpec rules
with ExaBGP and Flowtriq

Back to Blog

What Is BGP FlowSpec and Why It Matters

BGP FlowSpec (RFC 5575) extends the Border Gateway Protocol to distribute traffic filtering rules alongside routing information. Instead of blackholing an entire IP address with RTBH, FlowSpec lets you define granular match conditions: source IP, destination IP, protocol, port, packet length, DSCP value, and fragment flags. You can then apply actions like drop, rate-limit, redirect to a VRF, or mark with a DSCP value.

This precision is what makes FlowSpec so valuable during a DDoS attack. A SYN flood targeting port 80 on a single IP can be filtered without affecting legitimate traffic to other ports on the same IP. A UDP amplification attack from a known reflector range can be rate-limited to 1 Mbps instead of dropped entirely, preserving any legitimate DNS traffic from those sources.

ExaBGP is an open-source BGP implementation written in Python that acts as a FlowSpec rule injector. It peers with your edge routers and announces FlowSpec NLRI (Network Layer Reachability Information) that your routers translate into hardware-level ACLs. Flowtriq integrates with ExaBGP through a JSON API, pushing rules automatically when attacks are detected and withdrawing them when attacks end.

Prerequisites

Before you begin, make sure you have:

• ExaBGP 4.2+ installed on a server with network reachability to your edge routers
• At least one edge router that supports BGP FlowSpec (Juniper MX, Cisco ASR/XR, Nokia SR, Arista 7280+)
• A BGP session established between ExaBGP and your router with the FlowSpec address family enabled
• A Flowtriq agent deployed and detecting traffic on your network

If you have not set up ExaBGP before, we recommend starting with a lab environment. FlowSpec rules applied to production routers take effect immediately and can disrupt traffic if misconfigured.

Step 1: Configure ExaBGP in JSON API Mode

Flowtriq communicates with ExaBGP through its JSON API, which accepts route announcements and withdrawals via HTTP. Configure ExaBGP to run in API mode by creating the following configuration file:

# /etc/exabgp/exabgp.conf

process flowtriq-adapter {
  run /usr/bin/python3 /opt/flowtriq/exabgp_adapter.py;
  encoder json;
}

neighbor 10.0.0.1 {
  router-id 10.0.0.2;
  local-address 10.0.0.2;
  local-as 65001;
  peer-as 65001;

  family {
    ipv4 flow;
    ipv6 flow;
  }

  api {
    processes [flowtriq-adapter];
    receive {
      parsed;
      update;
    }
    send {
      parsed;
      update;
    }
  }
}

The family block enables both IPv4 and IPv6 FlowSpec address families. The process block points to the Flowtriq ExaBGP adapter script, which receives rule commands from the Flowtriq agent and translates them into ExaBGP API calls.

Install the adapter script from the Flowtriq package:

pip install flowtriq-exabgp-adapter

The adapter listens on a local Unix socket by default. The Flowtriq agent connects to this socket to push and withdraw FlowSpec rules.

Step 2: Configure the Flowtriq Mitigation Provider

In the Flowtriq dashboard, navigate to Settings > Mitigations and click Add Mitigation Provider. Select "ExaBGP FlowSpec" and configure:

{
  "provider": "exabgp_flowspec",
  "name": "ExaBGP - Edge Routers",
  "adapter_socket": "/var/run/flowtriq/exabgp.sock",
  "default_action": "rate-limit",
  "rate_limit_bps": 10000000,
  "auto_withdraw": true,
  "withdraw_after_seconds": 120,
  "ipv4_enabled": true,
  "ipv6_enabled": true
}

The default_action field determines what happens to matched traffic. Flowtriq supports two actions:

• drop: Silently discard all matched packets. Use this for clearly malicious traffic like spoofed source floods or known amplification vectors.
• rate-limit: Limit matched traffic to rate_limit_bps (in bits per second). Use this when the attack traffic may contain some legitimate packets, such as DNS amplification where real DNS responses are mixed in.

Step 3: Understanding the FlowSpec Rule Format

When Flowtriq detects an attack and triggers the ExaBGP provider, it generates a FlowSpec rule in JSON format. Here is an example rule for a SYN flood targeting a single IP on port 80:

{
  "announce": {
    "flow": {
      "match": {
        "destination": "203.0.113.45/32",
        "protocol": "tcp",
        "destination-port": 80,
        "tcp-flags": ["syn"],
        "packet-length": "0..100"
      },
      "then": {
        "discard": true
      }
    }
  }
}

And here is a rate-limit rule for a UDP amplification attack:

{
  "announce": {
    "flow": {
      "match": {
        "destination": "203.0.113.45/32",
        "source": "198.51.100.0/24",
        "protocol": "udp",
        "source-port": 53
      },
      "then": {
        "rate-limit": 10000000
      }
    }
  }
}

Flowtriq automatically constructs the match conditions based on the attack vector classification. SYN floods get TCP flag matching. DNS amplification gets source port 53. NTP amplification gets source port 123. The match conditions are designed to be as specific as possible to minimize impact on legitimate traffic.

IPv6 FlowSpec Rules

IPv6 FlowSpec rules follow the same format with IPv6 addresses in the match conditions. Flowtriq handles the address family automatically based on the target IP:

{
  "announce": {
    "flow": {
      "match": {
        "destination": "2001:db8::1/128",
        "protocol": "udp",
        "source-port": 19,
        "packet-length": "0..64"
      },
      "then": {
        "discard": true
      }
    }
  }
}

Make sure your router supports IPv6 FlowSpec. Juniper MX series supports it from Junos 15.1 onwards. Cisco IOS-XR supports it from version 6.1. Older hardware may only support IPv4 FlowSpec.

Step 4: Rule Withdrawal and Rollback

When Flowtriq resolves an incident, it automatically withdraws the corresponding FlowSpec rules from ExaBGP. The withdrawal message mirrors the announcement:

{
  "withdraw": {
    "flow": {
      "match": {
        "destination": "203.0.113.45/32",
        "protocol": "tcp",
        "destination-port": 80,
        "tcp-flags": ["syn"]
      }
    }
  }
}

The withdraw_after_seconds setting in the provider configuration adds a safety delay. Even after the attack ends, rules remain active for the specified number of seconds (default 120) before being withdrawn. This protects against attackers who probe for the removal of defenses.

Emergency Rollback

If a FlowSpec rule is causing collateral damage to legitimate traffic, you can withdraw all rules immediately from the Flowtriq dashboard by clicking Withdraw All Rules on the Mitigations page. This sends a bulk withdrawal to ExaBGP that clears every active FlowSpec rule within seconds.

You can also withdraw individual rules by selecting them from the active rules list. Each rule shows the match conditions, action, time deployed, and the incident that triggered it.

Always test FlowSpec rules in a lab before deploying to production. A misconfigured match condition (such as a missing destination prefix) can match all traffic and cause a network-wide outage. Flowtriq includes a "dry run" mode that logs the rules without actually pushing them to ExaBGP.

Step 5: Testing the Integration

Before relying on this integration in production, test it end-to-end:

1. Verify the BGP session: Check that ExaBGP has established a BGP session with your router and that the FlowSpec address family is negotiated. On Juniper, run show bgp neighbor [exabgp-ip] | match "FlowSpec".
2. Send a test rule: Use the Flowtriq dashboard's Test Mitigation button to push a test FlowSpec rule. The test rule matches a non-routable destination (100.64.0.0/32) so it cannot affect real traffic.
3. Verify the rule on the router: On Juniper, run show route table inetflow.0. On Cisco XR, run show flowspec ipv4. You should see the test rule.
4. Withdraw the test rule: Click Withdraw Test Rule in Flowtriq and verify the rule disappears from the router's FlowSpec table.

Step 6: Monitoring Active Rules

The Flowtriq dashboard provides a real-time view of all active FlowSpec rules, including:

• The match conditions and action for each rule
• The time the rule was deployed and which incident triggered it
• The number of packets and bytes matched by the rule (pulled from router counters via SNMP)
• The estimated time until auto-withdrawal

If you use Prometheus for monitoring, the Flowtriq agent exports a flowtriq_flowspec_active_rules gauge and a flowtriq_flowspec_rules_deployed_total counter. These metrics let you track FlowSpec activity alongside your other network telemetry.

Rate-Limit vs Drop: Choosing the Right Action

The choice between rate-limit and drop depends on the attack vector and your tolerance for collateral damage:

• Drop is appropriate for spoofed source attacks (SYN floods with randomized source IPs), known amplification protocols from non-legitimate sources, and any traffic that is clearly malicious with no possibility of legitimate packets.
• Rate-limit is appropriate for DNS amplification (legitimate DNS responses may be mixed in), NTP amplification from servers that also serve legitimate NTP clients, and any scenario where you want to throttle rather than block entirely.

You can configure different default actions per attack vector in the Flowtriq mitigation settings. For example, set SYN floods to "drop" and DNS amplification to "rate-limit" at 10 Mbps. Flowtriq applies the correct action automatically based on the detected vector.

ExaBGP FlowSpec integration is available on all Flowtriq plans starting at $9.99/node/month. ExaBGP itself is open source and free. Start your free trial to deploy automated FlowSpec mitigation rules within minutes of your first detected attack.

Back to Blog

Related Articles