FlowSpec: Programmable Filters via BGP

February 27, 2026 · 6 min read

Blocking an attacking IP requires logging into every border router, adding firewall rules, and hoping you don’t make a typo. For 10 routers, that’s 10 changes. During an attack, when speed matters most.

BGP FlowSpec distributes filter rules via BGP. Define a rule once, BGP propagates it to all routers. Routers automatically install the filters. Network-wide blocking from a single point.

FlowSpec enables network-wide filtering from a single control point.

What FlowSpec Does

Traditional:
[Admin] → SSH → [Router 1] → add rule
        → SSH → [Router 2] → add rule
        → SSH → [Router 3] → add rule
        ... (manual, slow, error-prone)

FlowSpec:
[Admin] → [FlowSpec Controller] → BGP FlowSpec → [All Routers]
                                                  (automatic installation)

FlowSpec Components

NLRI (Network Layer Reachability Information)

FlowSpec rules are BGP NLRIs that describe traffic:

Component	Description	Example
Destination	Destination prefix	203.0.113.0/24
Source	Source prefix	198.51.100.0/24
Protocol	IP protocol	TCP, UDP, ICMP
Port	L4 port	80, 443, 53
Fragment	Fragmentation flags	don’t-fragment
Packet length	Packet size	100-1500
DSCP	DiffServ code point	46

Actions

Action	Description
Traffic-rate	Rate limit (0 = drop)
Traffic-action	Sample, terminal
Redirect	Send to specific VRF
Traffic-marking	Set DSCP

FlowSpec on VyOS

VyOS FlowSpec support depends on version and FRRouting capabilities.

Enable FlowSpec Address Family

configure

# Enable FlowSpec for IPv4
set protocols bgp address-family ipv4-flowspec

# Configure neighbor for FlowSpec
set protocols bgp neighbor 10.255.0.1 address-family ipv4-flowspec

commit

Receive FlowSpec Rules

configure

# Accept FlowSpec from upstream
set protocols bgp neighbor 10.255.0.1 address-family ipv4-flowspec

# Interface to apply FlowSpec rules
set protocols bgp address-family ipv4-flowspec local-install interface eth0

commit

FlowSpec Rule Examples

Block Traffic to Destination

# Block all traffic to 203.0.113.100/32

# FlowSpec NLRI components:
# Destination: 203.0.113.100/32
# Action: traffic-rate 0 (drop)

Block Specific Port

# Block UDP port 53 to destination (DNS amplification)

# FlowSpec NLRI:
# Destination: 203.0.113.0/24
# Protocol: UDP (17)
# Destination port: 53
# Action: traffic-rate 0

Rate Limit

# Rate limit ICMP to destination

# FlowSpec NLRI:
# Destination: 203.0.113.100/32
# Protocol: ICMP (1)
# Action: traffic-rate 1000000 (1 Mbps)

Block Source Network

# Block all traffic from attacking network

# FlowSpec NLRI:
# Source: 198.51.100.0/24
# Action: traffic-rate 0

FlowSpec Controller

ExaBGP for FlowSpec

ExaBGP can inject FlowSpec rules:

neighbor 10.255.0.1 {
    router-id 10.255.0.100;
    local-address 10.255.0.100;
    local-as 65001;
    peer-as 65001;

    flow {
        # Block UDP 53 to victim
        route destination 203.0.113.100/32
              protocol udp
              destination-port 53
              rate-limit 0;
    }
}

Inject Rule via API

# Using ExaBGP API
echo "announce flow route destination 203.0.113.100/32 protocol tcp destination-port 80 rate-limit 0" | socat - /var/run/exabgp.sock

Viewing FlowSpec

Show Received Rules

# Show FlowSpec routes
show bgp ipv4 flowspec

# Output:
# Flow     Destination         Protocol  Port    Action
# 1        203.0.113.100/32   UDP       53      rate-limit 0
# 2        203.0.113.0/24     TCP       80-443  rate-limit 1000000

Show Installed Rules

# Show rules installed on interface
show policy pbr flowspec interface eth0

# Or via iptables
sudo iptables -L -v -n | grep -i flowspec

FlowSpec Validation

Important Security Measures

# Only accept FlowSpec from trusted sources
# Validate FlowSpec rules don't affect unintended traffic

# Prefix validation
# FlowSpec destination should match prefixes you announce
# Prevents upstream from filtering traffic you didn't request

Validation Mode

configure

# Enable FlowSpec validation
set protocols bgp address-family ipv4-flowspec validation

# Only accept FlowSpec for your own prefixes

commit

FlowSpec Use Cases

Use Case 1: DDoS Response

# Attack detected to 203.0.113.100
# Inject FlowSpec rule from controller

# Block all traffic (like RTBH but more granular)
# FlowSpec: destination 203.0.113.100/32, rate-limit 0

# Or block specific attack pattern
# FlowSpec: destination 203.0.113.100/32, protocol UDP, port 53, rate-limit 0

Use Case 2: Traffic Scrubbing

# Redirect attack traffic to scrubbing center

# FlowSpec: destination 203.0.113.100/32, redirect VRF scrubbing

# Clean traffic sent back via normal routing

Use Case 3: Rate Limiting

# Limit ICMP to all destinations (prevent ping flood amplification)

# FlowSpec: protocol ICMP, rate-limit 1000000

Use Case 4: Network-Wide Policy

# Block entire protocol network-wide

# FlowSpec: protocol 47 (GRE), rate-limit 0
# All routers now block GRE

FlowSpec vs RTBH

Feature	RTBH	FlowSpec
Granularity	/32 or /24	5-tuple
Actions	Drop only	Drop, rate-limit, redirect
Complexity	Simple	More complex
Support	Wide	Limited

RTBH: Block everything to a destination
FlowSpec: Block specific traffic patterns to a destination

Limitations

Hardware Support

FlowSpec requires:
- BGP implementation supporting FlowSpec
- Data plane capable of implementing rules
- Sufficient TCAM/memory for rules

VyOS (software router):
- FlowSpec implemented via iptables/nftables
- Works but limited by CPU performance

Rule Complexity

More rules = More processing
Complex rules = Harder to manage
Watch for:
- Too many concurrent rules
- Overlapping rules
- Stale rules (remove after attack)

Best Practices

1. Start Simple

# Begin with basic destination blocks
# Add complexity as needed
# Test before production use

2. Automate Rule Management

# Use FlowSpec controller
# Integrate with detection systems
# Automatic rule addition and removal

3. Set Timeouts

# FlowSpec rules should expire
# Don't leave blocking rules forever
# Implement automatic cleanup

4. Document and Alert

# Log all FlowSpec changes
# Alert team when rules added
# Review rules regularly

The Lesson

FlowSpec enables network-wide filtering from a single control point.

Traditional filtering:

Manual changes on each router
Slow during attacks
Error-prone
Inconsistent

FlowSpec:

Define once, propagate everywhere
Fast deployment via BGP
Consistent across network
Can be automated

VyOS FlowSpec support varies by version. For production use:

Verify feature support
Test thoroughly
Have fallback (manual rules, RTBH)

FlowSpec is powerful but complex. Start with simple rules, build automation, expand as you gain experience.