BGP Signaling

This article describes how FastPPS uses BGP signaling to interact with upstream telecommunication operators or Managed Security Service Providers (MSSPs).

Signaling Goals

When deployed as a perimeter DDoS protection system, FastPPS can independently mitigate attacks up to the available inbound bandwidth capacity. To prevent uplink saturation, coarse traffic filtering can be activated at upstream telecom operators or external protection providers.

MSSPs typically use REST APIs, BGP, BGP FlowSpec, or proprietary protocols for customer signaling. FastPPS supports signaling scenarios using all of these methods.

BGP Signaling Setup Example

FastPPS continuously maintains multiple internal system lists that can be automatically populated with prefixes based on defined criteria and external sources.

Lists under system.policy.signaling.* are intended specifically for signaling purposes; however, any compatible list may be used provided it is not already assigned to another function.

As an example, consider the system.policy.signaling.prefixes system list populated using prefixes from the dst_prefixes field of protection policy routing rules.

To announce prefixes requiring traffic scrubbing, a BGP session must be configured between the FastPPS instance and the MSSP BGP speaker. The MSSP device is added as a BGP neighbor of the FastPPS instance.

If multiple scrubbing providers are used, a separate BGP neighbor should be configured for each provider.

Neighbor network parameters are configured in the neighbor settings. A higher TTL value is recommended, as the MSSP BGP speaker may be located multiple network hops away.

The system.policy.signaling.prefixes list must be specified within the BGP neighbor announcement policy.

The appropriate next-hop and BGP community attributes should be configured according to MSSP requirements.

Auto-detection thresholds are configured within the protection policy. When these thresholds are exceeded, policy prefixes are automatically added to the system.policy.signaling.prefixes list.

When the auto-detection system detects that the BGP.Signaling.InputPps.On threshold has been exceeded, the system.policy.signaling.prefixes list is populated with the corresponding policy prefixes.

These prefixes are then advertised to the MSSP BGP speaker via BGP. Upon receiving the announcement, the MSSP can redirect traffic destined for the protected prefixes to its own scrubbing infrastructure.

It is important to note that if the MSSP configuration does not maintain scrubbing while elevated traffic levels persist, traffic rates within the protection policy may drop below the BGP.Signaling.InputPps.Off threshold after scrubbing begins.

This may result in prefix withdrawal and termination of upstream scrubbing.

To minimize route flapping during auto-detection threshold tuning, it is recommended to increase the number of analyzed intervals.