FlowSpec - KnowledgeBase
Service Overview
Inter.link provides a fully managed DDoS mitigation service which automatically detects attacks against the customer, redirects the attack traffic through Inter.link’s attack filters, filters out the attack traffic, and then forwards on the genuine traffic to the customer.
FlowSpec is Inter.link’s alternative which enables customers to self-manage DDoS mitigation on their network.
FlowSpec (RFC8955 & RFC8956) is an add-on to Inter.link’s IP Transit service which allows a customer to automatically send messages from their network to the Inter.link network. These messages tell the Inter.link network to drop or rate limit certain traffic which is destined for the customer's network. This allows the customer to self-operate a basic DDoS protection service.
With FlowSpec, the customer must monitor their own traffic and look for attacks, then their network must signal the Inter.link network to drop the attack traffic before it reaches the customer.
Benefits
- The customer takes responsibility for the traffic filtering rules applied to their traffic (when compared to a hosted/managed DDoS protection service).
- The customer can coordinate filtering across all their upstream carriers (if they all support FlowSpec) to have more effective traffic filtering.
- The cost can be lower (when compared to a managed DDoS protection service).
Supported Features
- All features in RFC8955 and RFC8956 are supported apart from any exceptions listed in the Technical Limitations section below.
- Inter.link supports Flowspec rules with either the drop or rate limitation action attached, or no action (“accept”).
Technical Limitations
The following list records the limitations of the FlowSpec service:
The following are known the filtering limitations for the Inter.link network:- All matching components described in RFC8955 are supported except for the following known caveats:
- For fragment flags, only the Is a fragment (IsF) bit is supported, and this is only supported for IPv4 packets. Combining source/dest ports and the Fragment flags in the same rule is not supported.
- All matching components described in RFC8956 are supported except for the following known caveats:
- Matching on IPv6 packet length or IPv6 flow label fields is not supported.
- It is not possible to match IPv6 fragments.
Billing for FlowSpec
The packages available for the service are listed in the table below.
FlowSpec is billed at a flat monthly rate regardless of how much traffic is filtered by the rules and regardless of whether the customer uses all or none of their allowed rule limit each month. It is a simple flat rate per month add-on.
Each package provides an increasing number of FlowSpec rules the customer can have simultaneously active with Inter.link at any one point in time. The customer must use those to mitigate attack traffic in attack scenarios. FlowSpec must not be used as a permanent filter mechanism. The minimum commit to book a FlowSpec package is 10 Gbps aggregated per customer.
| Package | Number of Rules | MRC | NRC |
| Small | 10 | 500 EUR | 1000 EUR |
| Medium | 25 | 750 EUR | 1000 EUR |
| Large | 50 | 1500 EUR | 1000 EUR |
Because FlowSpec has to be enabled on all IP Transit services, the customer has with Inter.link, the price of the chosen FlowSpec package is a total monthly charge. This means, for example, the customer will not pay 3x the monthly price of the medium package if they have 3x IP-Transit services with Inter.link.
How to Order
The FlowSpec is currently not available from the Inter.link portal and is available on special request only.
If you are interested in utilising FlowSpec for your network, please email sales@inter.link and a member of Inter.link’s team will be in touch to set this up for you.