SMARTNET
Home / Learn / BGP FlowSpec
SMARTNET Learn

BGP FlowSpec

BGP FlowSpec distributes traffic filtering rules through BGP so routers can apply drop or rate-limit actions across the network without manual per-device changes.

What FlowSpec does

Normal BGP distributes reachability information. FlowSpec distributes filtering instructions instead. That means the control plane can tell routers which traffic patterns should be dropped or rate-limited.

The goal is speed and consistency. During an attack, pushing one filter to many devices is much more useful than logging into every router separately.

How it works

A FlowSpec route contains match conditions and an action. The match can include things like source prefix, destination prefix, IP protocol, source port, destination port, packet length or TCP flags.

Once the route is accepted, the receiving router installs a corresponding filter in hardware or software, depending on platform capabilities.

Typical matches

  • Destination prefix under attack
  • Specific protocol such as UDP or TCP
  • Source or destination ports
  • TCP flags such as SYN
  • Packet length or fragment patterns

Typical actions

match traffic pattern → install filter →
drop, rate-limit or redirect according to platform support

Where FlowSpec fits

FlowSpec is useful for network-wide coordination. It is good at pushing simple filtering decisions quickly across many routers. That makes it effective for distributed response to large attacks.

It is not a replacement for every mitigation layer. Complex validation, session handling and protocol-aware filtering usually still need to happen elsewhere.

Limits and caveats

Hardware support is not identical across vendors and platforms. Some devices support only part of the FlowSpec feature set, and some actions may be implemented in slower paths depending on the router.

That means FlowSpec is only as good as the devices receiving the routes. It solves distribution. It does not guarantee that every box can enforce the rule equally well.

Why it matters during DDoS events

During an attack, response time matters. If you can distribute a filtering rule in seconds rather than configure devices one by one, you reduce both reaction time and operational mistakes.

That is why FlowSpec is attractive for providers with multiple edge routers or multiple mitigation points.

Related topics

Scrubbing CenterWhere attack traffic is filtered before forwarding UDP Amplification AttacksExample of traffic patterns often filtered quickly Stateful vs Stateless FilteringWhy distributed simple rules scale better Packet Rate vs BandwidthWhy quick filtering matters under high PPS