July 11, 2026 · 6 minutes read

BGP FlowSpec filters DDoS traffic at line rate by pushing granular match-and-drop rules straight to your routers. Here's how it works, vendor support, and its limits.

BGP FlowSpec is a BGP extension (RFC 8955 for IPv4, RFC 8956 for IPv6) that distributes granular traffic-filtering rules across a network, so routers drop or rate-limit malicious flows at line rate on the forwarding plane. Instead of black-holing an entire destination, FlowSpec matches specific traffic — by source, destination, protocol, port, packet length or TCP flags — and acts only on that, keeping the service online during a DDoS attack.

Key takeaways
– FlowSpec = surgical DDoS filtering: match a 5-tuple, then drop or rate-limit only that traffic.
– Standardized in RFC 8955 (IPv4) and RFC 8956 (IPv6), which obsoleted the original RFC 5575.
– Rules ride MP-BGP and convert into hardware firewall filters — mitigation in seconds, network-wide.
– Supported by Juniper, Cisco, Arista and Nokia platforms.
– Its limit: some randomized or adaptive floods can’t be expressed as a compact rule — that’s when RTBH takes over.


What is BGP FlowSpec?

BGP FlowSpec (Flow Specification) is an extension to the Border Gateway Protocol that lets a network distribute traffic-filtering rules the same way it distributes routes. Defined in RFC 8955 (Dec 2020) for IPv4 and RFC 8956 for IPv6, it encodes a match (the flow specification) plus an action (discard, rate-limit, redirect, or mark) into a BGP NLRI, so one advertisement can program filters across every participating router at once.

RFC 8955 obsoleted the original RFC 5575 — a detail that matters, because much of the FlowSpec content online still cites the outdated RFC. If you’re documenting or configuring FlowSpec today, reference RFC 8955 and RFC 8956.

How BGP FlowSpec works

FlowSpec turns a BGP update into a firewall rule. A controller (or a router) originates a flow route describing the malicious traffic; MP-BGP propagates it intra- and inter-AS; and each receiving router auto-converts the flow route into a hardware firewall filter and installs it on the forwarding plane. On Junos, for example, flow routes become firewall filters for IPv4 and VPNv4 that both match and rate-limit at line rate.

A flow specification can match on multiple components at once, including:

  • Source and destination prefix
  • IP protocol (TCP, UDP, ICMP…)
  • Source and destination port
  • Packet length, DSCP, fragment bits, and TCP flags

The paired action is typically traffic-rate (drop = rate 0, or a byte/second policer), redirect to a scrubbing VRF, or mark (DSCP). Because the filter runs in hardware, enforcement happens at line rate with no added latency to clean traffic.

BGP FlowSpec vs RTBH

FlowSpec and RTBH solve the same problem — stopping a flood at the edge — but at opposite levels of precision. RTBH (Remotely Triggered Black Hole) drops all traffic to a targeted IP; it sacrifices one address to save the network. FlowSpec drops only the attack traffic and keeps the target online. FlowSpec is the surgical scalpel; RTBH is the blunt-but-reliable fallback for when a flood is too large or too random to characterize. A well-run edge uses FlowSpec first and RTBH only as a last resort.

Which vendors support BGP FlowSpec

FlowSpec is broadly supported across carrier-grade platforms, including Juniper (Junos), Cisco (IOS XR), Arista (EOS) and Nokia (SR OS). Support and scale vary by platform and line card — particularly the maximum number of installable flow rules and which match/action components are implemented — so the practical filter count and feature set depend on your hardware. ITORO’s Juniper MX filtering gateway is built around Junos FlowSpec for exactly this reason: predictable, line-rate enforcement on MX hardware.

Limitations of BGP FlowSpec

FlowSpec is powerful but not unlimited, and it’s worth being honest about where it stops:

  • Rule/TCAM scale. Each flow rule consumes hardware filter space; platforms cap how many you can install, so a very high number of distinct attack signatures can exhaust the table.
  • Validation and safety. FlowSpec includes a validation procedure (and inter-AS deployments need careful trust boundaries) to prevent a bad or hijacked rule from black-holing legitimate traffic network-wide.
  • Un-expressible attacks. FlowSpec can only block what a rule can describe. Randomized-source or randomized-port floods, and adaptive attacks, resist compact rules — you can’t enumerate millions of spoofed sources. These are the cases where RTBH or upstream scrubbing takes over.

Knowing these limits is the difference between a filtering strategy that holds under a real attack and one that doesn’t.

BGP FlowSpec for automated DDoS mitigation

Manually writing FlowSpec rules during a live attack is too slow — floods saturate uplinks in tens of seconds. In production, FlowSpec is driven by a detection system that recognizes the attack and generates the rule automatically. That’s how WanGuard anti-DDoS works: it detects the attack in seconds (sub-5-second with DPDK port-mirror), builds the matching FlowSpec rule, and pushes it to your routers — dropping the malicious flows at line rate while your customers stay online, and falling back to RTBH only if the flood exceeds what filtering can hold.

ITORO installs and tunes this end to end for ISPs, telecoms and data centers; see Plans & Pricing for an itemized estimate.

Frequently asked questions

What is BGP FlowSpec used for?

BGP FlowSpec is used to distribute traffic-filtering rules across a network so routers drop or rate-limit specific flows at line rate — most commonly to mitigate DDoS attacks surgically, without black-holing an entire destination. It can also redirect traffic to a scrubbing path or re-mark it.

Which RFC defines BGP FlowSpec?

RFC 8955 (December 2020) defines BGP FlowSpec for IPv4 and obsoletes the original RFC 5575. RFC 8956 extends FlowSpec to IPv6. When documenting or configuring FlowSpec today, cite RFC 8955 and RFC 8956 rather than the outdated RFC 5575.

What’s the difference between BGP FlowSpec and RTBH?

FlowSpec drops or rate-limits only the malicious traffic, keeping the targeted service online. RTBH black-holes all traffic to the targeted IP address. FlowSpec is surgical and used first; RTBH is a blunt last resort for attacks too large or too randomized to filter granularly.

Can BGP FlowSpec stop every DDoS attack?

No. FlowSpec can only block traffic a rule can describe, and hardware limits how many rules a router holds. Randomized-source or randomized-port floods resist compact rules, and volume beyond your uplink capacity can’t be filtered locally — those cases fall back to RTBH or an upstream scrubbing center.

Which routers support BGP FlowSpec?

Carrier-grade platforms from Juniper (Junos), Cisco (IOS XR), Arista (EOS) and Nokia (SR OS) support FlowSpec, though the maximum rule count and the exact match/action components implemented vary by platform and line card.


Sources
– IETF — RFC 8955, Dissemination of Flow Specification Rules (IPv4): https://www.rfc-editor.org/info/rfc8955/
– IETF — RFC 8956, Dissemination of Flow Specification Rules for IPv6: https://datatracker.ietf.org/doc/rfc8956/
– Juniper Networks — BGP Flow-Specification (Junos) documentation & “Day One: Deploying BGP Flowspec”: https://www.juniper.net/documentation/en_US/day-one-books/DO_BGP_FLowspec.pdf
– NANOG 63 — “DDoS Mitigation Using BGP Flowspec” (Ryburn): https://archive.nanog.org/sites/default/files/tuesday_general_ddos_ryburn_63.16.pdf