WP What is Border Gateway Protocol | BGP Routing vs. DNS Routing | Imperva

Border Gateway Protocol (BGP)

Edge SecurityDDoSProtocols

What is Boarder Gateway Protocol (BGP)

Border Gateway Protocol (BGP) is a set of rules and procedures that help an autonomous system (AS) exchange routing information over the internet. An AS is a network of computers run by an entity, e.g., a university or a large corporation, controlling a range of IP addresses.

Every AS manages a table containing all of its known routes to other networks, which is then propagated to neighboring networks (a.k.a., peers). The BGP decision-making mechanism analyzes the data and selects the best route for the next network hop.

BGP is the basis for the transfer of data between locations over the internet. It can also be used to manage routing within large networks, such as ISPs, layer 3 VPN services, IP telephony, large-scale web caching, or as a way to improve network stability.

BGP path selection process

BGP routers use Cisco’s best path algorithm to determine the best route to an AS, which is then stored for future reference.

To determine the best path to an AS, the algorithm compares each valid path with all other paths in a routing table according to the following criteria:

  • Weight – A Cisco-defined attribute that is local to the router on which it was configured. Weight is higher by default for routes that originate at the router. If there are multiple paths to a given IP address, BGP chooses the route with the highest weight.
  • Local Preference – The preferred path for exiting the AS to reach a certain network. The default is 100, but paths with higher weights are given priority. Routers within the same AS share the local preference attribute.
  • Locally Generated – Selects a path that originates locally via an aggregate or a network. The aggregation of network routes saves space in the routing table.
  • Shortest AS_Path – Selects an AS path for each route, which shows the number of AS hops to reach a given destination. This selection criterion chooses the shortest AS path, i.e., the path with the fewest hops.
  • Lowest Origin Type – Assigns higher preference to Exterior Gateway Protocol (EGP) vs. Interior Gateway Protocol (IGP).
  • Lowest Multi-Exit Discriminator (MED) – Tells other routers the preferred route for entry into an AS.
  • eBGP over iBGP – Assigns higher preference to external BGP over internal BGP used within an AS.
  • Lowest IGP Metric – Selects the path with the lowest Interior Gateway Protocol (IGP) metric for the next hop.
  • Multiple Paths – Indicates if multiple routes need to be installed in the routing table.
  • External Paths – Out of several external paths, selects the first received path.
  • Lowest Router ID – Selects the path to the external BGP router with the lowest router ID.
  • Minimum Cluster List – If more than one path has the same router ID, selects the path with minimum cluster list length.
  • Lowest Neighbor Address – Selects the path originating from the lowest neighbor address.

DDOS protection: BGP routing vs. DNS routing

DNS routing and BGP routing are two DDoS mitigation techniques that mitigation providers deploy in front of a target network to detect and redirect malicious traffic.

DNS routing

DNS rerouting involves a mitigation provider masking a target’s IP address as its own. As a result, inbound requests are sent to the mitigation provider, which inspects and filters out any malicious traffic.

A problem with DNS redirection, however, is that it can’t prevent direct-to-origin attacks on an IP address—it only functions at the application layer. This means that even if an IP is masked, it can still be discovered and targeted with malicious traffic.

BGP routing

BGP rerouting can mitigate direct-to-origin DDoS attacks by screening all incoming network traffic before it reaches its target. It functions at the network level by rerouting malicious network packets to security providers before they can reach DNS servers or other computing resources.

BGP routers can redirect high volumes of traffic to centralized data scrubbing centers used by a security provider. The scrubbing center analyzes traffic and filters out malicious DDoS attack traffic using deep packet inspection. It then allows healthy traffic to pass through to the AS.

The mitigation process for a BGP DDoS attack can be broken down as follows:

  • A BGP announcement is made by a security provider about an impending DDoS attack.
  • BGP rules are automatically altered—instead of routing traffic based on optimal paths, BGP reroutes all incoming traffic to the security provider.
  • The security provider filters out the malicious traffic and then uses a GRE tunnel to send clean traffic directly to the origin server.

A prerequisite to making a BGP announcement is having control over a Class C subnet—a logical grouping of connected network devices. The subnet must have at least 256 IP addresses, meaning smaller company networks cannot typically benefit from BGP-enabled protection.

See how Imperva DDoS Protection can help you with BGP routing.

Imperva and BGP-enabled DDoS protection

The Imperva Infrastructure Protection service provides network DDoS security by assigning an IP from our own IP range to a protected device. This means that all Incapsula users, regardless of whether they own a Class C subnet, can benefit from robust network layer protection.

Our dedicated multi-terabit scrubbing solutions use deep packet inspection (DPI) to identify and block malicious traffic to block even the biggest DDoS attacks.

BGP-based DDoS Mitigation

Imperva using BGP-routing for DDoS mitigation

Infrastructure Protection can be deployed to defend important computing resources, including:

  • Assets hosted in public cloud environments such as Google Cloud, AWS and Azure.
  • Entire class C subnets.
  • Individual origin servers (e.g., gaming servers) and private cloud enviroments.

Infrastructure Protection is available as an always-on service or as an on-demand solution, with either manual or automatic switchover.

The solution is flexible enough to supports any type of service, including TCP, UDP, SMTP, FTP, SSH, VoIP and proprietary or custom protocols.