The Architecture
VyOS is a Linux-based network operating system built on FRRouting (FRR). It handles BGP peering, OSPF, static routes, and firewall policies. Many small ISPs, hosting providers, and network engineers use VyOS as their edge router.
The combination works like this: Flowtriq detects a DDoS attack on one of your servers. It identifies the attack type, target prefix, source characteristics, and protocol. It then pushes a BGP FlowSpec rule through the ExaBGP adapter, which peers with your VyOS router. VyOS propagates the FlowSpec rule to your upstream providers, and the attack traffic is dropped at the network edge before it reaches your infrastructure.
Attack hits your server
|
v
ftagent detects anomaly in <1 second
|
v
Flowtriq generates FlowSpec rule
|
v
ExaBGP announces FlowSpec to VyOS
|
v
VyOS propagates to upstreams via iBGP/eBGP
|
v
Upstream drops attack traffic at their edge
|
v
Your link stays clean, services stay online
VyOS BGP Configuration
First, configure your VyOS router to accept FlowSpec routes from ExaBGP. This assumes you already have BGP sessions with your upstreams.
Step 1: Configure the iBGP session with ExaBGP
configure set protocols bgp neighbor 10.0.0.100 remote-as 65001 set protocols bgp neighbor 10.0.0.100 description 'ExaBGP FlowSpec' set protocols bgp neighbor 10.0.0.100 address-family ipv4-flowspec set protocols bgp neighbor 10.0.0.100 update-source 10.0.0.1 commit save
Here 10.0.0.100 is the server running ExaBGP, and 10.0.0.1 is your VyOS router's loopback or management IP. Both use the same ASN (65001 in this example) since this is an iBGP session.
Step 2: Enable FlowSpec validation
set protocols bgp address-family ipv4-flowspec local-install 'any' commit save
The local-install any directive tells VyOS to install received FlowSpec rules into the local forwarding table, so the rules take effect on the router itself in addition to being propagated to peers.
Step 3: Upstream propagation
To propagate FlowSpec rules to upstreams that support it, enable the FlowSpec address family on those sessions:
set protocols bgp neighbor 198.51.100.1 address-family ipv4-flowspec commit save
Check with your upstreams whether they accept FlowSpec. Many transit providers do, but the capability must be explicitly enabled on both sides.
ExaBGP Setup on Flowtriq
On the server running ExaBGP (can be the same server running ftagent, or a dedicated management host):
# Install ExaBGP pip install exabgp # Flowtriq ExaBGP adapter configuration # /etc/flowtriq/exabgp.conf [exabgp] router_id = 10.0.0.100 local_as = 65001 neighbor = 10.0.0.1 neighbor_as = 65001 flowspec = true api_mode = json
Configure the ExaBGP adapter in the Flowtriq dashboard under Settings > Mitigation > BGP Adapters. Select ExaBGP, provide the config path, and test the connection.
See the ExaBGP FlowSpec guide for the complete adapter configuration.
What Happens During an Attack
When Flowtriq detects a DDoS attack, it generates a FlowSpec rule specific to the attack characteristics:
# Example: UDP amplification via DNS reflection targeting 203.0.113.50
flow4 {
match {
destination 203.0.113.50/32;
source-port =53;
protocol udp;
packet-length >=512;
}
then {
discard;
}
}
This rule drops UDP packets from source port 53 (DNS) that are 512 bytes or larger targeting your server. Legitimate DNS queries from your server are unaffected because they use source port 53 on the server side, not the source side.
The rule propagates through VyOS to your upstreams. Within seconds, the attack traffic is being dropped at the upstream edge, and your link returns to normal.
Automatic Rule Withdrawal
FlowSpec rules are withdrawn automatically when the attack ends. Flowtriq monitors the traffic continuously. When traffic returns to baseline levels, it sends a BGP withdrawal for the FlowSpec route. VyOS propagates the withdrawal, and normal forwarding resumes.
This automatic lifecycle prevents stale rules. There is no manual "remove the FlowSpec rule" step that gets forgotten at 3 AM.
RTBH Fallback
If your upstreams do not support FlowSpec, configure RTBH (Remote Triggered Black Hole) as a fallback. Flowtriq can announce a /32 blackhole route through VyOS with the standard blackhole community (65535:666):
set protocols bgp neighbor 198.51.100.1 address-family ipv4-unicast set policy community-list standard blackhole-community rule 10 action permit set policy community-list standard blackhole-community rule 10 community '65535:666'
RTBH is less precise than FlowSpec (it drops all traffic to the target IP, not just attack traffic), but it works with virtually every transit provider.
FAQ
Which VyOS version supports FlowSpec?
VyOS 1.4 (sagitta) and later support FlowSpec through FRRouting 8.x+. The rolling release has the latest FRR with full FlowSpec support. VyOS 1.3 (equuleus) has limited FlowSpec support.
Can I use BIRD instead of ExaBGP?
Flowtriq supports ExaBGP, GoBGP, and custom BGP adapters. BIRD integration is possible through the custom adapter. ExaBGP is recommended because Flowtriq's adapter is most mature for it.
What if I run VyOS as a VM on Proxmox?
Works the same way. The BGP session between ExaBGP and VyOS operates at the IP level regardless of whether VyOS runs on bare metal, as a VM, or in a container.
Automate your DDoS response. Flowtriq detects attacks, generates FlowSpec rules, and pushes them through VyOS to your upstreams. No manual intervention. Start your free 14-day trial.