BGP Flowspec allows network operators to filter or rate-limit specific traffic upstream before it reaches the network of the designated ip-address.
Flowspec is supported by most modern routers and can be implemented easily. Within our setup, it’s done by a few rules and an additional BGP Session.
This allows us to filter or rate-limit large ddos attacks in a flexible manner, before they even reach our network.
Flowspec has been integrated with two ouf our upstreams so far. Previously we had static firewall filters deployed on their equipment, which involved a manual third party intervention up on changes. Flowspec makes it possible to move the change ability in our own hands, offering us and our customers more capabilities and flexibility in terms of ddos protection.