BGP Flowspec vs ACLs vs RTBH: Which Filtering Method Wins for DDoS Mitigation?
In today’s high-stakes network environment, DDoS mitigation is not just a security option—it’s a necessity. Network engineers face a crucial decision: how to block malicious traffic quickly and effectively without impacting legitimate users.
The three most common filtering methods used to mitigate DDoS attacks are:
- Access Control Lists (ACLs)
- Remote Triggered Black Hole (RTBH) filtering
- BGP Flowspec
Each method has strengths and weaknesses, and choosing the right one depends on your infrastructure, hardware, and use case.
In this guide, we’ll compare these three techniques in-depth and help you decide which one wins in terms of speed, flexibility, scalability, and automation.
🔍 What Are ACLs, RTBH, and BGP Flowspec?
Let’s start with definitions.
✅ Access Control Lists (ACLs)
ACLs are static packet filters configured directly on routers or switches. They match traffic based on IP addresses, protocols, or ports and either permit or deny that traffic.
Example:
bash ip access-list extended BLOCK-UDP
deny udp any any eq 123
✅ Pros:
- Simple and widely supported
- Granular control
- No need for BGP
❌ Cons:
- Static and manual
- Doesn’t scale well
- Risk of configuration errors
✅ Remote Triggered Black Hole (RTBH)
RTBH is a BGP-based technique that routes unwanted traffic to a “black hole” by advertising a /32 route with a special next-hop. The traffic is effectively dropped before it enters your network.
Example:
bash ip route 203.0.113.99 255.255.255.255 Null0 tag 666
✅ Pros:
- Lightweight
- Fast to propagate
- Works well for source or destination blocking
❌ Cons:
- All-or-nothing (drops all traffic to/from IP)
- No port/protocol granularity
- Can cause collateral damage
✅ BGP Flowspec
BGP Flowspec is a BGP extension that distributes firewall-like rules (based on IP, port, protocol, TCP flags, etc.) dynamically across your routers.
Example:
plaintext Match: UDP dst-port 53
Action: Discard
✅ Pros:
- Fine-grained filtering
- Real-time updates via BGP
- Automation-friendly
❌ Cons:
- Requires router support
- Slightly more complex to configure
- May not be supported by upstream providers
⚖️ Side-by-Side Comparison
| Feature | ACLs | RTBH | BGP Flowspec |
|---|---|---|---|
| Filtering Granularity | High (manual) | Low | High (automated) |
| Automation Support | Low | Medium | High |
| Deployment Time | Slow (manual) | Fast | Fast |
| BGP Required | No | Yes | Yes |
| Impact Scope | Per-router | Network-wide | Network-wide |
| DDoS Mitigation Use Case | Limited | Emergency blocking | Real-time filtering |
| Port/Protocol Match Support | Yes | No | Yes |
| Dynamic Scaling | No | Yes | Yes |
🛠️ Real-World Use Cases
✅ When to Use ACLs
Use ACLs when:
- You only have a few routers or switches
- You need tight control over filtering policies
- You don’t have BGP running on your edge
💡 Example: A small enterprise blocks UDP port 123 (NTP amplification) statically at the edge.
✅ When to Use RTBH
Use RTBH when:
- You need to block all traffic to/from a specific host under attack
- You want a lightweight BGP-based method
- You operate in an ISP or multi-AS environment
💡 Example: A provider automates RTBH by marking IPs in a SIEM that triggers a BGP announcement.
✅ When to Use BGP Flowspec
Use BGP Flowspec when:
- You want to block specific attack types (e.g., UDP floods, SYN floods)
- You need instant mitigation across your backbone
- You want full automation via NetFlow or FastNetMon
💡 Example: A CDN uses Flowspec to block malicious HTTP floods by matching on TCP flags and port.
🔧 Configuration Examples
RTBH (Cisco IOS)
bash ip route 192.0.2.1 255.255.255.255 Null0 tag 666
route-map RTBH permit 10
match tag 666
router bgp 65000
neighbor 10.0.0.1 remote-as 65001
address-family ipv4
neighbor 10.0.0.1 route-map RTBH in
BGP Flowspec (MikroTik)
bash /routing/filter/flowspec
add chain=flowspec-out protocol=udp dst-port=53 action=discard
/routing/bgp/peer
add name=flowspec-peer remote-address=192.168.88.1 remote-as=65001 out-filter=flowspec-out
ACL (Cisco IOS)
bash ip access-list extended BLOCK-PORT-80
deny tcp any any eq 80
interface GigabitEthernet0/1
ip access-group BLOCK-PORT-80 in
⚠️ Common Pitfalls
- Overblocking with RTBH: You may drop legitimate traffic unintentionally.
- Stale ACLs: Manual ACLs often remain in place after an incident.
- Flowspec Misconfigurations: A wrong rule can block critical services network-wide.
- Vendor support mismatch: Not all routers fully support Flowspec actions.
🛡 Always test filtering methods in a lab environment or use “dry run” modes before deployment.
🧠 Conclusion: Which Method Wins?
There’s no single winner—but here’s a breakdown:
| Network Size | Recommended Method |
|---|---|
| Small/Static | ACLs |
| ISP or IX | RTBH |
| Mid to Large-scale | BGP Flowspec (Best) |
In 2025, BGP Flowspec emerges as the most flexible and automation-ready solution for modern DDoS mitigation. It allows you to respond dynamically to threats and scale defense strategies without compromising performance.