BGP FlowSpec Emerges in Juniper DDoS Secure

Juniper is updating its DDoS Secure solution to version 5.14, providing new attack mitigation capabilities that leverage the emerging BGP FlowSpec specification.

Juniper first hinted at its BGP FlowSpec capabilities in March, as part of a joint solution with VeriSign.

Paul Scanlon, director of product management at Juniper Networks, told Enterprise Networking Planet that FlowSpec can be used in conjunction with the Verisign cloud scrubbing service. He explained that customers can choose to leverage FlowSpec filters to block known bad sources on routers and choose to redirect traffic to VeriSign as well.

BGP FlowSpec provides organizations with a new tool in the battle against large traffic floods known as Distributed Denial of Service (DDoS) attacks.

“BGP FlowSpec is an extension to traditional BGP that enables the communication of filters through the existing network control plane of BGP,” Scanlon said. “The enhancement that FlowSpec provides is an ability to make granular decisions about what traffic to redirect to a cloud scrubbing layer.”

Scanlon added that the extension of BGP FlowSpec allows organizations to make much more granular decisions about how to block attacking sources and how to manipulate traffic in a much more granular fashion than available previously.

DDoS Secure 5.14 also provides support for another standard that can be used to protect enterprises. The GTP Network Protocol Unwrap is technology that is in DDoS Secure 5.14 and leverages GTP (Generic Tunnelling Protocol), an IETF standard protocol.

“The ability to recognize and then unwrap the IP packet encapsulated in GTP tunnel is enabled through the ability to recognize GTP traffic,” Scanlon said. “This happens by monitoring the key information that can identify the subscriber sourcing the GTP traffic over the Radio Access Network (RAN) of the mobile network and then map the IP-based information to that problematic subscriber.”

Scanlon noted that GTP Network Protocol Unwrap functionality provides customers with the ability to increase their detection of infected or abusive devices before they impact the IP-based services of the mobile architecture or create problems for other subscribers using the network.

He added that GTP is typically found in mobile networks on the radio side of the network and carries IP-based traffic within the tunnel.

Going a step further, DDoS Secure 5.14 now includes functionality to limit the risk of UDP amplification attacks. UDP amplification attacks leverage vulnerable network services to amplify attack volume bandwidth against a target.

“The announced functionality protects DNS, NTP, SIP or any other UDP-based service,” Scanlon said.

Scanlon explained that DDoS Secure leverages its ability to understand the protocol in context at layer 7 to recognize when sources are repetitively asking the same question to the DNS server. It sends responses to unanswered questions or when key rules within the protocol are being violated. The UDP amplification attack mitigation capability can in turn be used alongside BGP FlowSpec to protect an organization.

“When protecting a DNS service from amplification attacks, DDoS Secure can leverage sub-second mitigation of threats on the network locally to the protected service,” Scanlon said. “It can then create a FlowSpec rule which is published to the upstream router to protect the service from egregious attacking sources, redirect traffic to a cloud scrubbing service (such as Verisign’s DDoS Protect service) or any combination of these defenses to address the complexity of current attacks with an equally sophisticated set of protection capabilities in an automated, simple operational model.”

Sean Michael Kerner is a senior editor at Enterprise Networking Planet and Follow him on Twitter @TechJournalist.

Latest Articles

Follow Us On Social Media

Explore More