Fortinet white logo
Fortinet white logo

Handbook

Configuring Flowspec

Configuring Flowspec

FortiDDoS can create Flowspec configuration scripts based on FortiDDoS attack information. The Flowspec scripts can be entered in Cisco and Juniper routes to create Flowspec-based ACLs, which are more fine-grained than traditional Remotely-Triggered-Black-Hole IP Addresses. The standard scripts may also work with other routers supporting Flowspec.

Depending on the type of attack seen, the script may include Destination IP, Destination Port, Protocol, Fragment and/or ICMP Type/Code. The full list of supported items from RFC 5575 is detailed below.

Before you begin:
  • You must have Read-Write permission for Log & Report.

To create a Flowspec script:

  1. Go to Log & Report > Flowspec Settings.
  2. Select the FortiDDoS device from the top-right device selection button.
  3. Complete the configuration as described in the table below.
  4. Save the configuration. The Report Status field displays the date and time this or last script was generated.
    Note: You must save the current setting before you download the script. Download without saving will download the previous script which remains in the memory until replaced.
  5. Click Download under Report Status to save the generated script to the device.

To use the generated Flowspec script:

  • The script can be cut and pasted directly into the CLI of the edge/peering router to create a Flowspec ACL.
  • You can determine whether the traffic filtering action will be rate-limit, re-direct or other action supported by the routers.

Flowspec configuration settings

Settings Guidelines
Generate Enable to allow script generation.
Destination Select the protected Destination IP address from the drop-down.
Dropcount Threshold Many large attacks are multi-vector. Since FortiDDoS sees even single-drop events, selecting a Destination IP address and creating a script for the last hour’s attacks could result in very long and confusing scripts.

The Dropcount Threshold limits the creation of scripts to only those attacks that exceed the entered Threshold. This Threshold should be set to a reasonably high number so you are generating scripts that make sense to use on the edge router – generally attacks that are exceeding the rate limits of the Internet links where FortiDDoS is mitigating. A reasonable Dropcount Threshold is 1,000,000.

The Dropcount threshold value is in the range 1-1000000000. The default value is 10.
Vendor Vendor - Cisco or Juniper
Report Status Status of the Flowspec script.

Flowspec

Supported Flowspec Parameters

RFC 5575 Juniper Available
Type 1 Destination prefix Yes
Destination prefix-offset No
Type 2 Source prefix Yes
Type 3 Protocol number Yes
Type 5 Destination-port Yes
Type 6 Source-port No
Source prefix-offset No
Type 7 ICMP-v4/v6-code Yes
Type 8 ICMP-v4/v-type Yes
Source-port No
Source prefix-offset No
Type 9 TCP Flags Yes
Type 10 Packet-length Yes
Type 11 DSCP No
Type 12 Fragment type
dont-fragment No
first-fragment No
is-fragment Yes
last-fragment No
not-a-fragment Not Explicit

Sample exported scripts:

Cisco
configure
class-map type traffic match all block-28.0.1.200-1
match source-address 28.0.0.6/32
match destination-address 28.0.1.200/32
end-class-map
configure
class-map type traffic match all block-28.0.1.200-2
match source-address 28.0.0.7/32
match destination-address 28.0.1.200/32
end-class-map
configure
class-map type traffic match all block-28.0.1.200-3
match source-address 28.0.0.9/32
match destination-address 28.0.1.200/32
end-class-map

Juniper
flow {
	term-order statndard;
	route block-28.0.1.200-1 {
		match {
			tmatch source-address 28.0.0.6/32
			match destination-address 28.0.1.200/32
		}
		then discard;
	}
 }
flow {
	term-order statndard;
	route block-28.0.1.200-2 {
		match {
			tmatch source-address 28.0.0.7/32
			match destination-address 28.0.1.200/32
		}
		then discard;
	}
 }
flow {
	term-order statndard;
	route block-28.0.1.200-3 {
		match {
			tmatch source-address 28.0.0.9/32
			match destination-address 28.0.1.200/32
		}
		then discard;
	}
 }

Configuring Flowspec

Configuring Flowspec

FortiDDoS can create Flowspec configuration scripts based on FortiDDoS attack information. The Flowspec scripts can be entered in Cisco and Juniper routes to create Flowspec-based ACLs, which are more fine-grained than traditional Remotely-Triggered-Black-Hole IP Addresses. The standard scripts may also work with other routers supporting Flowspec.

Depending on the type of attack seen, the script may include Destination IP, Destination Port, Protocol, Fragment and/or ICMP Type/Code. The full list of supported items from RFC 5575 is detailed below.

Before you begin:
  • You must have Read-Write permission for Log & Report.

To create a Flowspec script:

  1. Go to Log & Report > Flowspec Settings.
  2. Select the FortiDDoS device from the top-right device selection button.
  3. Complete the configuration as described in the table below.
  4. Save the configuration. The Report Status field displays the date and time this or last script was generated.
    Note: You must save the current setting before you download the script. Download without saving will download the previous script which remains in the memory until replaced.
  5. Click Download under Report Status to save the generated script to the device.

To use the generated Flowspec script:

  • The script can be cut and pasted directly into the CLI of the edge/peering router to create a Flowspec ACL.
  • You can determine whether the traffic filtering action will be rate-limit, re-direct or other action supported by the routers.

Flowspec configuration settings

Settings Guidelines
Generate Enable to allow script generation.
Destination Select the protected Destination IP address from the drop-down.
Dropcount Threshold Many large attacks are multi-vector. Since FortiDDoS sees even single-drop events, selecting a Destination IP address and creating a script for the last hour’s attacks could result in very long and confusing scripts.

The Dropcount Threshold limits the creation of scripts to only those attacks that exceed the entered Threshold. This Threshold should be set to a reasonably high number so you are generating scripts that make sense to use on the edge router – generally attacks that are exceeding the rate limits of the Internet links where FortiDDoS is mitigating. A reasonable Dropcount Threshold is 1,000,000.

The Dropcount threshold value is in the range 1-1000000000. The default value is 10.
Vendor Vendor - Cisco or Juniper
Report Status Status of the Flowspec script.

Flowspec

Supported Flowspec Parameters

RFC 5575 Juniper Available
Type 1 Destination prefix Yes
Destination prefix-offset No
Type 2 Source prefix Yes
Type 3 Protocol number Yes
Type 5 Destination-port Yes
Type 6 Source-port No
Source prefix-offset No
Type 7 ICMP-v4/v6-code Yes
Type 8 ICMP-v4/v-type Yes
Source-port No
Source prefix-offset No
Type 9 TCP Flags Yes
Type 10 Packet-length Yes
Type 11 DSCP No
Type 12 Fragment type
dont-fragment No
first-fragment No
is-fragment Yes
last-fragment No
not-a-fragment Not Explicit

Sample exported scripts:

Cisco
configure
class-map type traffic match all block-28.0.1.200-1
match source-address 28.0.0.6/32
match destination-address 28.0.1.200/32
end-class-map
configure
class-map type traffic match all block-28.0.1.200-2
match source-address 28.0.0.7/32
match destination-address 28.0.1.200/32
end-class-map
configure
class-map type traffic match all block-28.0.1.200-3
match source-address 28.0.0.9/32
match destination-address 28.0.1.200/32
end-class-map

Juniper
flow {
	term-order statndard;
	route block-28.0.1.200-1 {
		match {
			tmatch source-address 28.0.0.6/32
			match destination-address 28.0.1.200/32
		}
		then discard;
	}
 }
flow {
	term-order statndard;
	route block-28.0.1.200-2 {
		match {
			tmatch source-address 28.0.0.7/32
			match destination-address 28.0.1.200/32
		}
		then discard;
	}
 }
flow {
	term-order statndard;
	route block-28.0.1.200-3 {
		match {
			tmatch source-address 28.0.0.9/32
			match destination-address 28.0.1.200/32
		}
		then discard;
	}
 }