Flowspec Auto-Mitigations

New SP Feature

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

Flowspec Auto-Mitigations

Flowspec auto-mitigations automatically filter UDP R/A attacks in routers

• Only for host detection
• Only for some misuse types
– All UDP Amplification
– Total traffic, UDP, and IP Fragmentation

Flowspec auto-mitigation templates are global

• One template Flowspec filter per misuse type
• Configure at Administration > Mitigation >
IPv4 Flowspec Auto-Mitigation Settings
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2
Flowspec Auto-Mitigations
Global Flowspec Auto-Mitigation Settings

Routers that will receive

Flowspec announcements

BGP communities for announcements

Enable option and filter template

for each misuse type

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3

Flowspec Auto-Mitigations
Global Flowspec Auto-Mitigation Settings

• Click expander icon

to view Flowspec filter
• Each template Flowspec filter
– Has a default filter in software
• Usually UDP and source port
– Same as host detection match

– Can be customized by
SP administrator
– Return to software default
using reset button

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

Flowspec Auto-Mitigations
Global Flowspec Auto-Mitigation Settings

• Some default filters include

additional filter parameters
– Usually packet traits that
are not usable in flow data

Example:
NTP Amplification filter matches
only uncommon packet lengths

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5

Flowspec Auto-Mitigations
Managed Object Flowspec Auto-Mitigation Settings

• New enable option on managed

object settings Mitigation tab
– Setting is completely independent
of TMS auto-mitigation settings

Shortcut link to global

Flowspec template settings

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6

Flowspec Auto-Mitigations
Example Flowspec Auto-Mitigation

• Example attack is NTP Reflection

• Host Alert triggered for NTP Amplification misuse

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

Flowspec Auto-Mitigations
Example Flowspec Auto-Mitigation

Link to Flowspec
Auto‑Mitigation

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

Flowspec Auto-Mitigations
Example Flowspec Auto-Mitigation

• Auto-generated Flowspec mitigation name includes

– alert ID
– protected destination address
– misuse type

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

Flowspec Auto-Mitigations
Example Flowspec Auto-Mitigation

• Routers and BGP communities are from Flowspec auto-mitigation setting

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

Flowspec Auto-Mitigations
Example Flowspec Auto-Mitigation

• Flowspec filter in
mitigation is a copy of
NTP Amplification
template filter

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

Flowspec Auto-Mitigations
Example Flowspec Auto-Mitigation

• Flowspec auto-mitigations always have discard action by default

• Any Flowspec mitigation setting may be modified, including Filter and Action
– A modified Flowspec auto-mitigation will cease to be automatic
• Same behavior as modified TMS auto-mitigations

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

Flowspec Auto-Mitigations

• A single managed object may have auto-mitigations via both Flowspec and TMS
– Settings are independent

Flowspec auto‑mitigation enabled

TMS auto‑mitigation enabled

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13

Flowspec Auto-Mitigations

• Simultaneous auto-mitigations are possible

Flowspec auto‑mitigation

TMS auto‑mitigation

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14