Skip to content

C2b-1: FlowSpec auto-mitigation core#87

Merged
vxfemboy merged 9 commits into
mainfrom
sp-c-m2b1-flowspec-core
Jul 3, 2026
Merged

C2b-1: FlowSpec auto-mitigation core#87
vxfemboy merged 9 commits into
mainfrom
sp-c-m2b1-flowspec-core

Conversation

@vxfemboy

@vxfemboy vxfemboy commented Jul 3, 2026

Copy link
Copy Markdown
Member

Closes #86. First increment of C2b — turns a detection into the right mitigation automatically, building on C2a's FlowSpec codec.

What lands

  • Pure concentration-based selection (blackwall-flow::select): from a detection's proto + top_ports, when a small set of flows (≤ max_flows) carries ≥ concentration of the attack → FlowSpec drop rules (drop UDP dport 53 → victim/32, victim's other services stay up); otherwise (diffuse, no ports, no proto) → RTBH whole-IP blackhole. Fully unit-tested incl. the single-100%-port and cap-break boundaries.
  • FlowSpecController + FlowSpecManager (blackwall-rtbh): the FlowSpec analogues of the shipped RTBH controller/manager, reusing every invariant — eligibility (own-prefix only), concurrent-rule cap, hold-down + deferred-withdraw + TTL, per-entry origin (Manual never auto-cleared), single-owner task, mirror self-heal (journal-failure keeps the rule live; BGP-failure never journals a phantom). The BgpExecutor trait gains announce_flowspec/withdraw_flowspec; both managers share one iBGP session.
  • SelectorSink: routes each Opened to the chosen manager, broadcasts Updated/Cleared to both (idempotent).
  • flowspec-auto-bird lab gate: a concentrated synthetic detection auto-installs a FlowSpec rule in real BIRD2's flow4tab (full match dst 203.0.113.7/32; proto 17; dport 53); a diffuse one auto-installs an RTBH /32 blackhole (community 65535:666) — both auto-mitigation paths proven end to end via the real select().

Verification

  • cargo fmt --all --check, cargo clippy --workspace --all-targets -- --deny warnings, cargo doc all clean.
  • DATABASE_URL=… cargo test --workspace green; bash scripts/coverage.sh exit 0 at 95.25% (flowspec_controller 99.30%, flowspec_manager 97.66%).
  • flowspec-auto-bird gate passes 3× stably against BIRD 2.17.1 (both paths).
  • Final whole-branch review (opus): SHIP — selection boundary correct, all RTBH invariants preserved, the broadcast seam can't create a phantom, no drift to the unicast RTBH path.

Deferred to C2b-2 (follow-on)

Postgres persistence (0005 flowspec tables + Store + FlowSpecJournal impl), the flowspec config directive, the blackwalld flowspec operator CLI, and the daemon flow wiring of both managers + restart/reconcile.

🤖 Generated with Claude Code

vxfemboy added 9 commits July 3, 2026 10:36
…wrapper (#88)

Apply the #88 CI-flake fix to the C2b-1 gate added on this branch: the
flowspec-auto scenario now runs the pre-built
`target/debug/lab-tests/blackwall-rtbh-flowspec_auto_interop` binary instead of
`cargo test` in the netns, and its CI gate uses the same bounded
`sudo timeout` + file-redirect wrapper as every other gate. build-lab-tests.sh
already picks up the flowspec_auto_interop driver when present.
@vxfemboy vxfemboy force-pushed the sp-c-m2b1-flowspec-core branch from 146ad59 to 04b29a0 Compare July 3, 2026 14:37
@vxfemboy vxfemboy merged commit e4062ea into main Jul 3, 2026
2 checks passed
@vxfemboy vxfemboy deleted the sp-c-m2b1-flowspec-core branch July 3, 2026 14:44
@github-project-automation github-project-automation Bot moved this from Backlog to Done in blackwall Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Done

Development

Successfully merging this pull request may close these issues.

C2b-1: FlowSpec auto-mitigation core (selection + controller + manager + gate)

1 participant