‘BGP Flowspec doesn’t suck. We’re just using it wrong’

Justin presents on this topic at APRICOT 2025.

Distributed Denial of Service (DDoS) attacks continue to plague the Internet, posing a persistent threat to businesses of all sizes. As attackers evolve their tactics, our defences must adapt to mitigate these threats effectively. A DDoS attack can cause significant issues for customers and can be very time-consuming for network operators to track down and stop.

Those who have followed me for a while may be aware I am a big proponent of Border Gateway Protocol (BGP) Flowspec. I've published a short book, Day One: Deploying BGP Flowspec, detailing how to configure it on Juniper devices. At the recent APRICOT 2025, I delivered a presentation entitled 'BGP Flowspec doesn't suck. We're just using it wrong '. I truly believe that BGP Flowspec can be a big help to operators in blocking these attacks. Like most things in IT, BGP Flowspec does not come without drawbacks and must be implemented properly. In this post, I'll give a refresher on BGP Flowspec and why I believe more operators should test and adopt the technology.

DDoS trends

Current industry reports from leading cybersecurity firms such as Akamai and Cloudflare show that DDoS attacks are increasing in frequency and complexity. As a result, more organizations are turning to cloud-based mitigation services and moving away from traditional appliance-based solutions.

Working for a network observability company that analyses the global BGP table has its perks; we can actually see when an organization activates a cloud-based scrubbing service by looking at the changes in the BGP table. For example, in this visualization, you can see how Intrado Life & Safety (ASN 36329), which uses AT&T (ASN 7018) as its upstream provider, swings its traffic over to Neustar (ASN 19905) to mitigate an attack.

BGP Flowspec: A quick refresher

Let's have a quick refresher on how BGP Flowspec works. BGP Flowspec adds a new Network Layer Reachability Information (NLRI) that allows the operator to specify very detailed parameters for the type of attack they wish to mitigate. Table 1 shows the possible parameters that can be specified:

Once you have signalled what traffic you want to match on, you must tell the router what to do with that traffic. This is done by attaching extended communities to the announced BGP NLRI. Table 2 shows those options.

For more details, check out the IETF's RFC 8955.

Adoption rates

BGP Flowspec has great potential for mitigating DDoS attacks, but its adoption rate across organizations is varied. It's 2025, so of course, we are going to ask ChatGPT what it knows about BGP Flowspec adoption rates:

While it is difficult to obtain accurate data on adoption rates because most organizations implement it without publicity, it is evident that interest in and adoption of BGP Flowspec is increasing. This is based on anecdotal evidence from conversations with numerous customers who are either using it or testing it before deployment. Despite this growth, adoption rates remain lower than anticipated when the IETF ratified the foundational RFC years ago.

Best practices for safe adoption

BGP Flowspec, like any powerful technology, can have negative consequences if not deployed correctly. Many network engineers have a negative impression of BGP Flowspec due to several well-known outages caused by its misuse, including the 2020 CenturyLink outage and the 2013 Cloudflare outage.

Organizations should not be discouraged from utilizing BGP Flowspec's capabilities due to potential risks. Careful and deliberate implementation, along with adherence to best practices such as thorough testing, continuous monitoring, and policy adjustments, can ensure safe adoption.

Forwarding performance should be tested cautiously with different BGP Flowspec rules deployed, as most line card ASICs have limited resources for this filter. As the number of prefixes increases, these resources become depleted, impacting the ASICs' ability to forward packets at line rate. Additionally, more complex matching criteria consume more ASIC resources.

The filtering resulting from BGP Flowspec rule processing occurs as a forwarding table filter, applying to all device interfaces. Some vendors allow configurations to exclude specific interfaces, which may be useful to prevent loss of device access when the filter is applied.

Strict control over the types of BGP Flowspec rules advertised to routes is crucial. The Cloudflare outage mentioned earlier stemmed from advertising a rule that blocked packets of illogical sizes, causing their Juniper line cards to malfunction and drop all traffic. While the router's reaction was not ideal, in hindsight, Cloudflare should have implemented sanity checks in its automation platform to ensure reasonable packet sizes.

Staying current

BGP Flowspec is a powerful tool in the fight against DDoS attacks. Staying up-to-date on the latest developments from the IETF and Inter-Domain Routing Group (IDR) is essential for any organization looking to implement effective DDoS mitigation strategies. You can follow their mailing list. As the threat landscape continues to evolve, BGP Flowspec offers a beacon of hope for those seeking robust defence mechanisms.

By understanding BGP Flowspec's capabilities, adopting industry best practices, and remaining informed on the latest advancements, we can work together to build a stronger, more resilient internet. If you are considering deploying it and have questions, feel free to reach out to me, and I will be happy to answer any questions I can.

Watch Justin's APRICOT 2025 presentation for more information.

Justin Ryburn is the Field CTO at network observability company Kentik. He is an author and conference speaker with 25 years of experience in network operations, engineering, sales, and marketing with service providers and vendors.

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.