TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Operations / Security / Software Development

How a Popular Combo Provides DDoS Protection

Border Gateway Protocol and Generic Routing Encapsulation allow rerouting of traffic to scrubbing centers where harmful data is filtered out.
Nov 29th, 2023 8:12am by
Featued image for: How a Popular Combo Provides DDoS Protection

BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) are a popular combination for DDoS (distributed denial of service) protection as they allow rerouting of traffic to dedicated scrubbing centers where harmful data is filtered out, maintaining service while stopping the attack. Let me explain how they’re used to protect your servers from DDoS attacks.

Why Use BGP and GRE for DDoS Protection?

Although several DDoS protection techniques exist (such as reverse proxy, changing DNS records), the BGP-GRE pair is a favorite because it provides flexibility, routing accuracy and reliability. Let’s explore these advantages to understand why BGP-GRE is such a favorable combination.

Flexibility

GRE encapsulates all network protocols within the OSI (Open Systems Interconnection) model layer 3, including IPv4, IPv6, Internet Control Message Protocol (ICMP) with Address Resolution Protocol (ARP), Internet Protocol Security (IPSEC) and multiprotocol label switching (MPLS). Therefore, your organization can use the BGP-GRE pair regardless of your in-house protocol.

GRE brings two additional flexibility benefits. First, GRE tunnels can encapsulate unicast, anycast, broadcast and multicast traffic, meaning they can provide DDoS protection for diverse application types and use cases. Second, traffic forwarding can occur regardless of compatibility between client and provider routers.

Routing Accuracy

BGP routing is highly efficient at ensuring robust and stable packet delivery. BGP can also be configured so that traffic to your server is first routed through the scrubbing center before reaching your server(s).

Reliability

BGP and GRE’s reliability stems from their keep-alive mechanisms, which promptly detect failures and swiftly reroute traffic. This ensures minimal downtime and continuous data flow, enhancing network robustness against disruptions.

How to Use GRE and BGP to Enable DDoS Protection

Here’s a step-by-step explanation of how BGP and GRE facilitate DDoS protection.

1. GRE Tunnel Configuration

The first step is to configure a GRE tunnel interface through which packets can move. Then, configure routing between the two tunnel endpoints — client and scrubbing center routers — at each end of the tunnel interface. The scrubbing center is the centralized place where the service provider analyzes traffic and removes malicious traffic from the client’s website. The connection between the tunnel endpoints is verified by sending keep-alive messages to verify tunnel availability.

The GRE tunnel endpoints are the client network and the DDoS protection service’s scrubbing center

2. Route Advertisement

The client and service provider’s IP addresses are advertised in a BGP update message, which enables BGP to determine the available paths for traffic routing. The advert usually includes client and service-provider routing and network reachability information such as IP prefixes — IP address plus subnet mask.

Two processes then occur:

3. Traffic Scrubbing

This is where the magic happens: DDoS attacks are stopped via real-time traffic analysis. Traffic is rerouted to the scrubbing center, where the service provider analyzes it to differentiate malicious traffic from legitimate traffic. Malicious traffic is blocked; legitimate traffic is served without any perceptible latency.

DDoS attacks are stopped by the traffic scrubbing process.

4. Packet Encapsulation

Clean traffic is encapsulated in GRE packets so that GRE can send the traffic via the tunnel. A tunnel header (and sometimes also a trailer) is added to the original packet.

  • The actual data and its IP header information become the payload of the GRE packet.
  • The GRE header is always added to allow packet forwarding.
  • A trailer is added only when additional error-checking or data integrity features are required, such as cyclic redundancy check (CRC) fields. If these extra features aren’t needed, or the underlying transport network already provides sufficient error detection and correction mechanisms, a trailer isn’t used.

GRE packets add a header, and sometimes also a trailer, to the original data.

The header typically contains metadata, like the protocol type, and routing information, such as the source, destination and any other values required to facilitate packet delivery. Designating these details in the header ensures routers don’t need to access the encapsulated packets for routing details, keeping the original data secure.

5. Scrubbed Traffic Rerouting

Once the scrubbed traffic is encapsulated in GRE packets, it is sent to the client endpoint through the GRE tunnel.

6. Decapsulation and Packet Delivery

At the other end of the tunnel, packets are decapsulated. This involves discarding the GRE header and exposing the original packet. The decapsulated packet is sent to the client’s server, from which users receive the data they requested.

 Packet decapsulation discards the header and trailer from the payload.

Limitations of Using BGP-GRE for DDoS Protection

Using the BGP-GRE pair presents two challenges: increased packet size and extra BGP hops.

Increased Packet Size

The efficiency of a network is determined by evaluating the ratio of the actual data payload to the overhead incurred in its transmission. In GRE tunneling, the overhead is relatively high due to the addition of GRE packet headers. Although adding GRE headers bolsters packet security, the approach may affect network efficiency, increase latency or result in unnecessary packet fragmentation.

Extra headers due to GRE encapsulation

Increased packet size isn’t a problem when the original packet is very small. But if the original packet is large, adding extra packet headers means that the packet may exceed the standard maximum transfer unit (MTU) and maximum segment size (MSS) value, since the GRE header adds about 24 bytes of overhead to the data. This can cause packet fragmentation. Packet fragmentation splits data into smaller packets to comply with MTU and MSS limits, affecting throughput and increasing error chances. To mitigate this, path MTU discovery (PMTUD) can be used to determine the maximum MTU, then the limit can be adjusted accordingly to accommodate the GRE header, but this requires additional resources.

Extra Routing Hops

Routing through a cleaning center can add additional hops, making the routing less optimal. To resolve this, choose a service provider with scrubbing centers worldwide to ensure fewer hops for all users trying to access your page.

Conclusion

The BGP-GRE pair is an attractive option for DDoS protection, offering routing accuracy and traffic delivery reliability. It does come with limitations, but these can largely be mitigated.

With Gcore, the DDoS protection process is even more efficient: Gcore offers a potent DDoS protection service with a traffic-filtering capacity of over 1 terabyte per second, real-time statistics for transparent assessment of the traffic-scrubbing process and scrubbing centers located worldwide. Try Gcore’s DDoS Protection today with a free trial.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: Enable.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.