The FlowSpec service provides flexible filtration at the level of attack profiles and types of traffic.

IX network uses the BGP FlowSpec (RFC5575) as an additional security measure against DDoS attacks. It filters out the traffic of the protocols and/or types of packets that are not used in the client’s network but can be used for a DDoS attack.

The traffic listed in the BGP FlowSpec rules is filtered out, while the remaining traffic will not be affected. The BGP FlowSpec rules are created by the client, and the filtration is turned on only when MSK-IX receives a notification from the client.

FlowSpec can filter traffic in accordance with the following criteria: the sourceIP-address, the destination IP-address, IP protocol, transport protocol, the source ports and the destination ports, allowed (prohibited) commands, allowed (prohibited) application layer protocols, the packet length.

To begin filtering traffic, the IX participants need to announce their unicast routing or a more specific routing towards MSK-IX with their own Next-Hop attribute and the necessary flow rule.

The traffic is filtered in accordance with the flow rule and is redirected towards the client along the received unicast routing.