 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) are a popular combination for DDoS (distributed denial of service) protection as they allow rerouting of traffic to dedicated scrubbing centers where harmful data is filtered out, maintaining service while stopping the attack. Let me explain how they’re used to protect your servers from DDoS attacks.
Although several DDoS protection techniques exist (such as reverse proxy, changing DNS records), the BGP-GRE pair is a favorite because it provides flexibility, routing accuracy and reliability. Let’s explore these advantages to understand why BGP-GRE is such a favorable combination.
GRE encapsulates all network protocols within the OSI (Open Systems Interconnection) model layer 3, including IPv4, IPv6, Internet Control Message Protocol (ICMP) with Address Resolution Protocol (ARP), Internet Protocol Security (IPSEC) and multiprotocol label switching (MPLS). Therefore, your organization can use the BGP-GRE pair regardless of your in-house protocol.
GRE brings two additional flexibility benefits. First, GRE tunnels can encapsulate unicast, anycast, broadcast and multicast traffic, meaning they can provide DDoS protection for diverse application types and use cases. Second, traffic forwarding can occur regardless of compatibility between client and provider routers.
BGP routing is highly efficient at ensuring robust and stable packet delivery. BGP can also be configured so that traffic to your server is first routed through the scrubbing center before reaching your server(s).
BGP and GRE’s reliability stems from their keep-alive mechanisms, which promptly detect failures and swiftly reroute traffic. This ensures minimal downtime and continuous data flow, enhancing network robustness against disruptions.
Here’s a step-by-step explanation of how BGP and GRE facilitate DDoS protection.
The first step is to configure a GRE tunnel interface through which packets can move. Then, configure routing between the two tunnel endpoints — client and scrubbing center routers — at each end of the tunnel interface. The scrubbing center is the centralized place where the service provider analyzes traffic and removes malicious traffic from the client’s website. The connection between the tunnel endpoints is verified by sending keep-alive messages to verify tunnel availability.
👁 The GRE tunnel endpoints are the client network and the DDoS protection service’s scrubbing center
The client and service provider’s IP addresses are advertised in a BGP update message, which enables BGP to determine the available paths for traffic routing. The advert usually includes client and service-provider routing and network reachability information such as IP prefixes — IP address plus subnet mask.
Two processes then occur:
This is where the magic happens: DDoS attacks are stopped via real-time traffic analysis. Traffic is rerouted to the scrubbing center, where the service provider analyzes it to differentiate malicious traffic from legitimate traffic. Malicious traffic is blocked; legitimate traffic is served without any perceptible latency.
👁 DDoS attacks are stopped by the traffic scrubbing process.
Clean traffic is encapsulated in GRE packets so that GRE can send the traffic via the tunnel. A tunnel header (and sometimes also a trailer) is added to the original packet.
👁 GRE packets add a header, and sometimes also a trailer, to the original data.
The header typically contains metadata, like the protocol type, and routing information, such as the source, destination and any other values required to facilitate packet delivery. Designating these details in the header ensures routers don’t need to access the encapsulated packets for routing details, keeping the original data secure.
Once the scrubbed traffic is encapsulated in GRE packets, it is sent to the client endpoint through the GRE tunnel.
At the other end of the tunnel, packets are decapsulated. This involves discarding the GRE header and exposing the original packet. The decapsulated packet is sent to the client’s server, from which users receive the data they requested.
👁 Packet decapsulation discards the header and trailer from the payload.
Using the BGP-GRE pair presents two challenges: increased packet size and extra BGP hops.
The efficiency of a network is determined by evaluating the ratio of the actual data payload to the overhead incurred in its transmission. In GRE tunneling, the overhead is relatively high due to the addition of GRE packet headers. Although adding GRE headers bolsters packet security, the approach may affect network efficiency, increase latency or result in unnecessary packet fragmentation.
👁 Extra headers due to GRE encapsulation
Increased packet size isn’t a problem when the original packet is very small. But if the original packet is large, adding extra packet headers means that the packet may exceed the standard maximum transfer unit (MTU) and maximum segment size (MSS) value, since the GRE header adds about 24 bytes of overhead to the data. This can cause packet fragmentation. Packet fragmentation splits data into smaller packets to comply with MTU and MSS limits, affecting throughput and increasing error chances. To mitigate this, path MTU discovery (PMTUD) can be used to determine the maximum MTU, then the limit can be adjusted accordingly to accommodate the GRE header, but this requires additional resources.
Routing through a cleaning center can add additional hops, making the routing less optimal. To resolve this, choose a service provider with scrubbing centers worldwide to ensure fewer hops for all users trying to access your page.
The BGP-GRE pair is an attractive option for DDoS protection, offering routing accuracy and traffic delivery reliability. It does come with limitations, but these can largely be mitigated.
With Gcore, the DDoS protection process is even more efficient: Gcore offers a potent DDoS protection service with a traffic-filtering capacity of over 1 terabyte per second, real-time statistics for transparent assessment of the traffic-scrubbing process and scrubbing centers located worldwide. Try Gcore’s DDoS Protection today with a free trial.
