Blackholing

Home > Services > Blackholing

Contact us

Drop us a message.

Download SGIX
Fact Sheet
from here

Download Now

blackhole-831x230-warp-2

About Blackholing Service

To mitigate DDoS attack, SGIX provide a blackhole next-hop address for both IPv4 and IPv6 address-families. These next-hop addresses will resolves (via ARP/ND) to a predefined blackhole MAC address (de:ad:be:ef:66:66), which will be dropped by our switch port ingress filter where members are directly connected and thereby preventing DDoS traffic from reaching its destination. SGIX blackholing (BH) service is available on our Route Servers (RS) and members are encouraged to participate.

Below table contain SGIX blackhole next-hop address and BGP BLACKHOLE community information.

IPv4 Address 103.16.102.6
IPv6 Global Address 2001:DE8:12:100::6
IPv6 Link-Local Address FE80::DEAD:BEEF:6666:6666
MAC Address de:ad:be:ef:66:66
BLACKHOLE Community (RFC7999) 65535:666

Blackholing via Route Server (RS)

Below are guideline and restrictions when using blackholing service via RS:

  • To participate in SGIX blackholing service, members MUST allow IP v4v6 prefixes marked with BLACKHOLE community (65535:666) through their inbound filter. This blackholing inbound filter should be place above any existing inbound policies that you have to ensure it will not be bypass.
# Create BLACKHOLE community (RFC7999)
ip community-list standard BLACKHOLE-COMM permit 65535:666

# IPv4 Inbound policy snippet
route-map SGIX-IPv4-IN permit 10  # create new blackhole policy
  match community BLACKHOLE-COMM  # match BLACKHOLE community
route-map SGIX-IPv4-IN permit 20  # existing inbound policy
  <existing inbound policies>     # existing match statement

# IPv6 Inbound policy snippet
route-map SGIX-IPv6-IN permit 10  # create new blackhole policy
  match community BLACKHOLE-COMM  # match BLACKHOLE community
route-map SGIX-IPv6-IN permit 20  # existing inbound policy
  <existing inbound policies>     # existing match statement

# BGP Inbound Policy snippet
router bgp <your_ASN>
....
  address-family ipv4
    neighbor 103.16.102.12 route-map SGIX-IPv4-IN in  # RS1 IPv4 inbound policies
    neighbor 103.16.102.13 route-map SGIX-IPv4-IN in  # RS2 IPv4 inbound policies
  exit-address-family
....
  address-family ipv6
    neighbor 2001:DE8:12:100::12 route-map SGIX-IPv6-IN in  # RS1 IPv6 inbound policies
    neighbor 2001:DE8:12:100::13 route-map SGIX-IPv6-IN in  # RS2 IPv6 inbound policies
  exit-address-family

 

  • To ensure member’s inbound filter are configured correctly, SGIX provide a permanent test IP v4v6 blackhole prefixes. Member will need to verify they can receive this test prefix with correct next-hop address and BGP communities in their routing table.
Test IP v4v6 Blackhole Prefix next-hop address BGP Communities
202.3.78.3/32 103.16.102.6 65535:666 no-export
2001:df0:214::3/128 2001:DE8:12:100::6 (Global)
FE80::DEAD:BEEF:6666:6666 (Link-Local)		 65535:666 no-export
  • To signal an IP prefix for blackholing, marked the prefix with BLACKHOLE community (65535:666) before advertising to RS. RS will automatically rewrite this prefix’s next-hop address to SGIX blackhole next-hop address and append the NO_EXPORT community before announcing to the rest of RS clients.
# Create IP v4v6 static route for victim address
ip route X.X.X.X 255.255.255.255 <IPv4-next-hop-to-victim-address>
ipv6 route Y:Y:Y:Y::Y/128 <IPv6-next-hop-to-victim-address>

# Create IP v4v6 blackhole prefix-list for matching later
ip prefix-list RTBH-IPv4-LIST seq 5 permit X.X.X.X/32
ipv6 prefix-list RTBH-IPv6-LIST seq 5 permit Y:Y:Y:Y::Y/128

# IPv4 outbound policy snippet
route-map SGIX-IPv4-OUT permit 10              # create new blackhole policy
  match ip address prefix-list RTBH-IPv4-LIST  # match blackhole prefix-list
  set community 65535:666                      # set BLACKHOLE community
route-map SGIX-IPv4-OUT permit 20              # existing outbound policy
  <existing outbound policies>                 # existing match statement

# IPv6 outbound policy snippet
route-map SGIX-IPv6-OUT permit 10                # create new blackhole policy
  match ipv6 address prefix-list RTBH-IPv6-LIST  # match blackhole prefix-list
  set community 65535:666                        # set BLACKHOLE community
route-map SGIX-IPv6-OUT permit 20                # existing outbound policy
  <existing outbound policies>                   # existing match statement

# BGP configuration snippet
router bgp <your_ASN>
  address-family ipv4
    network X.X.X.X mask 255.255.255.255                # Advertise IPv4 blackhole prefix
    neighbor 103.16.102.12 route-map SGIX-IPv4-OUT out  # RS1 IPv4 outbound policy
    neighbor 103.16.102.13 route-map SGIX-IPv4-OUT out  # RS2 IPv4 outbound policy
  exit-address-family

  address-family ipv6
    network Y:Y:Y:Y::Y/128                                    # Advertise IPv6 blackhole prefix
    neighbor 2001:DE8:12:100::12 route-map SGIX-IPv6-OUT out  # RS1 IPv6 outbound policy
    neighbor 2001:DE8:12:100::13 route-map SGIX-IPv6-OUT out  # RS2 IPv6 outbound policy
  exit-address-family

 

  • Members MUST enable send-community for both BGP v4v6 address-family.
  • RS only allowed blackhole IP prefixes from below size:

/24 =< IPv4 prefix length =< /32
/64 =< IPv6 prefix length =< /128

  • Members can only advertise blackhole IP prefixes from their own address space.
  • Blackhole IP prefixes should not be advertise outside their local AS.
  • The maximum number of blackhole IP prefixes that can be advertised is limited by:

(blackhole + standard prefix) < max-prefix

  • Members can target blackhole IP prefixes to specific ASN by combining it with SGIX standard community and large community filtering (the default is announced to all ASN).
Standard Community Descriptions
0:55518 Block announcement of prefixes to all ASN
0:$ASN Block announcement of prefixes to this ASN only
55518:$ASN Announce prefixes to this ASN only

 

Large Community Descriptions
55518:0:0 Block announcement of prefixes to all ASN
55518:0:$ASN* Block announcement of prefixes to this ASN only
55518:1:$ASN* Announce prefixes to this ASN only
*Please note that ASN is a four byte AS number you have to use for the BGP Large Communities.


# Example 1
route-map SGIX-IPv4-OUT permit 10
  match ip address prefix-list RTBH-IPv4-LIST  # match IPv4 blackhole prefix-list
  set community 65535:666 0:1234 0:5678        # blackhole to all except ASN 1234 and 5678

# Example 2
route-map SGIX-IPv4-OUT permit 10
  match ip address prefix-list RTBH-IPv4-LIST    # match IPv4 blackhole prefix-list
  set community 65535:666 55518:1234 55518:5678  # blackhole to only ASN 1234 and 5678

Blackholing via Direct Peering

Below are some guideline and restrictions for blackholing via direct peering:

  • Members MUST enable send-community for both BGP v4v6 address-family.
  • Use of RFC7999 BLACKHOLE community for prefix marking and matching is optional but recommended.
  • Members must allow IP prefixes marked with blackhole community (either RFC7999 or custom community) through their inbound filter.
  • Blackhole IP prefix should include NO_EXPORT community to prevent it from leaking outside the local AS.
  • To signal an IP prefix for blackholing, manually set the respective address-family next-hop to SGIX blackhole next-hop address together with NO_EXPORT community before advertising to direct peer. For IPv6 address-family, both Global + Link-Local addresses MUST be included in the next-hop information.
# Create IP v4v6 static route for victim address
ip route X.X.X.X 255.255.255.255 <IPv4-next-hop-to-victim-address>
ipv6 route Y:Y:Y:Y::Y/128 <IPv6-next-hop-to-victim-address>

# Create IP v4v6 blackhole prefix-list for matching later
ip prefix-list RTBH-IPv4-LIST seq 5 permit X.X.X.X/32
ipv6 prefix-list RTBH-IPv6-LIST seq 5 permit Y:Y:Y:Y::Y/128

# IPv4 outbound policy snippet
route-map SGIX-IPv4-OUT permit 10               # create new blackhole policy
  match ip address prefix-list RTBH-IPv4-LIST   # match blackhole prefix-list
  set community 65535:666 no-export             # set BLACKHOLE & no-export community
  set ip next-hop 103.16.102.6                  # set SGIX blackhole next-hop address
route-map SGIX-IPv4-OUT permit 20               # existing outbound policy
  <existing outbound policies>                  # existing match statement

# IPv6 outbound policy snippet
route-map SGIX-IPv6-OUT permit 10                # create new blackhole policy
  match ipv6 address prefix-list RTBH-IPv6-LIST  # match blackhole prefix-list
  set community 65535:666 no-export              # set BLACKHOLE & no-export community
  set ipv6 next-hop 2001:DE8:12:100::6 FE80::DEAD:BEEF:6666:6666  # set SGIX blackhole next-hop address
route-map SGIX-IPv6-OUT permit 20                # existing outbound policy
  <existing outbound policies>                   # existing match statement

# BGP configuration snippet
router bgp <your_ASN>
  address-family ipv4
    network X.X.X.X mask 255.255.255.255                   # Advertise IPv4 blackhole prefix
    neighbor <peer_ipv4_addr> route-map SGIX-IPv4-OUT out  # Direct peer outbound policy
  exit-address-family

  address-family ipv6
    network Y:Y:Y:Y::Y/128                                 # Advertise IPv6 blackhole prefix
    neighbor <peer_ipv6_addr> route-map SGIX-IPv6-OUT out  # Direct peer outbound policy
  exit-address-family