C2b-1: FlowSpec auto-mitigation core#87
Merged
Merged
Conversation
…c + RTBH vs real BIRD
…wrapper (#88) Apply the #88 CI-flake fix to the C2b-1 gate added on this branch: the flowspec-auto scenario now runs the pre-built `target/debug/lab-tests/blackwall-rtbh-flowspec_auto_interop` binary instead of `cargo test` in the netns, and its CI gate uses the same bounded `sudo timeout` + file-redirect wrapper as every other gate. build-lab-tests.sh already picks up the flowspec_auto_interop driver when present.
146ad59 to
04b29a0
Compare
This was referenced Jul 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #86. First increment of C2b — turns a detection into the right mitigation automatically, building on C2a's FlowSpec codec.
What lands
blackwall-flow::select): from a detection'sproto+top_ports, when a small set of flows (≤max_flows) carries ≥concentrationof the attack → FlowSpec drop rules (drop UDP dport 53 → victim/32, victim's other services stay up); otherwise (diffuse, no ports, no proto) → RTBH whole-IP blackhole. Fully unit-tested incl. the single-100%-port and cap-break boundaries.FlowSpecController+FlowSpecManager(blackwall-rtbh): the FlowSpec analogues of the shipped RTBH controller/manager, reusing every invariant — eligibility (own-prefix only), concurrent-rule cap, hold-down + deferred-withdraw + TTL, per-entry origin (Manual never auto-cleared), single-owner task, mirror self-heal (journal-failure keeps the rule live; BGP-failure never journals a phantom). TheBgpExecutortrait gainsannounce_flowspec/withdraw_flowspec; both managers share one iBGP session.SelectorSink: routes eachOpenedto the chosen manager, broadcastsUpdated/Clearedto both (idempotent).flowspec-auto-birdlab gate: a concentrated synthetic detection auto-installs a FlowSpec rule in real BIRD2'sflow4tab(full matchdst 203.0.113.7/32; proto 17; dport 53); a diffuse one auto-installs an RTBH/32blackhole (community65535:666) — both auto-mitigation paths proven end to end via the realselect().Verification
cargo fmt --all --check,cargo clippy --workspace --all-targets -- --deny warnings,cargo docall clean.DATABASE_URL=… cargo test --workspacegreen;bash scripts/coverage.shexit 0 at 95.25% (flowspec_controller 99.30%, flowspec_manager 97.66%).flowspec-auto-birdgate passes 3× stably against BIRD 2.17.1 (both paths).Deferred to C2b-2 (follow-on)
Postgres persistence (
0005flowspec tables + Store +FlowSpecJournalimpl), theflowspecconfig directive, theblackwalld flowspecoperator CLI, and the daemonflowwiring of both managers + restart/reconcile.🤖 Generated with Claude Code