How to Build a DDoS Detection System with BGP Flowspec and NetFlow

By /

How to Build a DDoS Detection System with BGP Flowspec and NetFlow

DDoS attacks continue to be one of the biggest threats to network availability in 2025. Businesses of all sizes are vulnerable to volumetric attacks, SYN floods, and protocol-based disruptions. While mitigation tools exist, many are reactive or expensive. One of the most effective and scalable ways to protect your infrastructure is to combine NetFlow-based traffic monitoring with automated BGP Flowspec response.

In this article, we’ll show you how to build your own DDoS detection and mitigation system using NetFlow (or sFlow/IPFIX) and BGP Flowspec. This approach allows you to detect suspicious traffic patterns in near real-time and automatically block them at the network edge using dynamically propagated rules.

What You’ll Learn

  • What is NetFlow and how it helps detect DDoS
  • How BGP Flowspec enables dynamic filtering
  • Architecture of a detection + mitigation system
  • Open-source and enterprise tools for automation
  • Configuration examples (Cisco, MikroTik)

1. What Is NetFlow and Why Use It?

NetFlow is a protocol developed by Cisco (with variants like IPFIX and sFlow) that collects metadata about traffic flowing through network devices. A flow is typically defined by a 5-tuple:

  • Source IP
  • Destination IP
  • Source port
  • Destination port
  • Protocol

By collecting and analyzing this flow data, you can spot anomalies, such as:

  • Sudden spikes in traffic from a single source
  • Unusual port scans or floods
  • Excessive connections to a specific service

NetFlow data can be exported to a collector like:

  • ntopng / nProbe
  • Elasticsearch + Logstash (ELK)
  • FastNetMon
  • pmacct
  • Grafana + InfluxDB

2. What Is BGP Flowspec?

BGP Flowspec is an extension to BGP that allows routers to distribute firewall-like rules using the BGP control plane. It enables fine-grained filtering based on:

  • IP addresses
  • Ports
  • Protocols
  • TCP flags
  • Packet sizes

When you detect a DDoS attack (e.g. UDP flood on port 53), you can dynamically announce a Flowspec rule to block that traffic across multiple routers—without logging into each one manually.

Example rule:

plaintext Match: UDP dst-port 53
Action: Discard

3. Detection + Mitigation: How the System Works

To build an automated DDoS protection system, combine NetFlow for detection with BGP Flowspec for mitigation.

📊 Detection layer:

  • Export NetFlow from routers
  • Analyze traffic patterns with detection engine
  • Trigger alerts or thresholds

🚫 Mitigation layer:

  • Detection engine creates Flowspec rules
  • Rules are sent via BGP to edge routers
  • Routers filter or drop malicious traffic at the edge

This system allows for instant response, saving bandwidth, CPU resources, and downtime.

4. Example Architecture

css [Router1] ---- NetFlow ---> [Collector + Detection System] ---- BGP Flowspec ----> [Router1 + Router2]
         \
          ---> [Router2]
  • Routers export NetFlow data every 30 seconds
  • Collector runs traffic analytics (e.g. FastNetMon)
  • If attack is detected, BGP Flowspec rule is generated and pushed to routers
  • Routers block the bad traffic immediately

5. Tools You Can Use

ComponentTool Examples
Flow CollectornProbe, pmacct, SoftFlowd
Detection EngineFastNetMon, ntopng, Suricata
MitigationBGPd, GoBGP, ExaBGP
VisualizationGrafana, Kibana, ntopng

🔧 FastNetMon (Open Source)

One of the most popular DDoS detection tools. FastNetMon supports NetFlow/sFlow/IPFIX and has built-in integration with BGP Flowspec.

GitHub: https://github.com/pavel-odintsov/fastnetmon

6. MikroTik Configuration Example (Flowspec)

bash /routing/bgp/instance
add name=flowspec-asn instance=default as=65001

/routing/filter/flowspec
add chain=flowspec-out protocol=udp dst-port=53 action=discard

/routing/bgp/peer
add name=flowspec-peer remote-address=192.168.88.1 remote-as=65002 out-filter=flowspec-out

7. Cisco IOS-XR Example

cisco router bgp 65001
 address-family ipv4 flowspec
  neighbor 10.10.10.1 activate
  neighbor 10.10.10.1 send-community extended

flowspec
 match destination 192.0.2.0/24
 match destination-port 80
 action discard

8. Advantages of This Setup

Automatic: Detect and block without human intervention
Fast: Near real-time reaction
Scalable: Works across dozens of routers
Cost-effective: No need for external scrubbing centers
Extensible: Add more detection layers later (e.g. Suricata IDS)

9. Limitations and Considerations

  • BGP Flowspec requires proper hardware and vendor support
  • Misconfigured rules can lead to overblocking
  • NetFlow introduces some processing overhead
  • Detection engines need to be tuned to avoid false positives

Always test in a lab before production rollout.

Conclusion: Automate Your DDoS Defense

Combining NetFlow-based analytics with BGP Flowspec filtering gives you a powerful, automated defense system against DDoS attacks. It enables near real-time detection and mitigation across your infrastructure without costly manual intervention.

If you’re managing networks in 2025, this setup is no longer just “nice to have”—it’s essential.

📚 Further Reading

Related Posts

Support Us!
Support Us!
Scroll to Top