Home M3AAWG Blog Key Flowspec Standards for Today’s Digitally Reliant World

By Rich Compton, DDoS Special Interest Group Chair, M3AAWG

As schools ramp up virtual teaching and companies continue working remotely, maintaining our digital connections and keeping websites up and running is more crucial than ever before. But we’re seeing a sharp increase in Distributed Denial of Service (DDoS) attacks in 2020: there were almost double the amount of attacks in the first quarter of 2020 compared to Q4 2019. This is part of a continuous upward trajectory over 30 years. 

DDoS attacks are used by cybercriminals to shut down targets ranging from a single website to an entire network. These attacks can originate from a network that allows sending spoofed traffic to amplifiers then routing this boosted traffic to the victim, as well as from a botnet under the control of an attacker.

In turn, to mitigate these attacks, service providers and network administrators need to be acutely aware of today’s key practices, including Flow Specification (Flowspec) standards. Flowspec is used to apply specific actions on network traffic defined by various filters, and was a practice initially developed to help mitigate DDoS attacks. It allows administrators to adjust entire networks to react to attacks in mere seconds.

For companies that are currently using Flowspec or are looking towards implementation, these standards should reduce or entirely prevent outages. The Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) developed a best practices guide for Flowspec rules (click here to read and download)

The full guide contains a list of ways to limit issues that could occur with Flowspec, including:

  • Tagging Flowspec rules to specific BGP communities.
  • Using route policies to validate the source or destination prefix defined in a received Flowspec rule.
  • Configuring the maximum prefix setting on the BGP session with the peer that is advertising the Flowspec rules.
  • … and more.

These best practices will help our ecosystem effectively address an increasing surge in DDoS attacks and keep our websites and services running. 


The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.