Blackholing Service

Home > Services > Blackholing Service

Contact us

We here to help in anything you need. Call us on below number.

Download Our 2016
Financial Brochure
from here

Submit Now

blackhole-831x230-warp-2

About Blackholing Service

To mitigate DDoS attack, SGIX provide a blackhole next-hop address for both IPv4 and IPv6 address-family, which will resolves (ARP/ND) to a predefined blackhole MAC address (de:ad:be:ef:66:66). Any traffic destined to this MAC address will be dropped by our switch port ingress filter where members are directly connected and thereby preventing DDoS traffic from reaching its destination. SGIX blackholing service is enabled by default for all members who peer with Route Servers (RS).

Below table contain SGIX blackhole next-hop address and BGP BLACKHOLE community information.

IPv4 Address 103.16.102.6
IPv6 Global Address 2001:DE8:12:100::6
IPv6 Link-Local Address FE80::DEAD:BEEF:6666:6666
MAC Address de:ad:be:ef:66:66
BLACKHOLE Community (RFC7999) 65535:666

Blackholing via Route Server (RS)

To signal a blackhole via RS, marked the IP prefix under attacked with RFC7999 BLACKHOLE community (65535:666) and RS will automatically rewrite the respective address-family next-hop to SGIX blackhole next-hop address and append the NO_EXPORT community before re-advertising to rest of RS clients.

Below are some criteria and restrictions for blackholing via RS:

  • Members MUST enable BGP send-community for both IPv4 and IPv6 address-family.
  • To participate in blackholing service, members MUST allow IP prefixes marked with BLACKHOLE community through their inbound filter by creating a match policy above any existing inbound policies.
# Create BLACKHOLE community (RFC7999)
ip community-list standard BLACKHOLE-COMM permit 65535:666

# IPv4 Inbound policy snippet
route-map SGIX-IPv4-IN permit 10  # create new blackhole policy
  match community BLACKHOLE-COMM  # match BLACKHOLE community
route-map SGIX-IPv4-IN permit 20  # existing inbound policy
  <existing inbound policies>     # existing match statement

# IPv6 Inbound policy snippet
route-map SGIX-IPv6-IN permit 10  # create new blackhole policy
  match community BLACKHOLE-COMM  # match BLACKHOLE community
route-map SGIX-IPv6-IN permit 20  # existing inbound policy
  <existing inbound policies>     # existing match statement

 

  • To help member verify their inbound policies, SGIX provide a permanent test IPv4v6 blackhole prefix. Member will need to verify they are receiving this test prefix with the correct next-hop address and BGP communities.
Test IPv4v6 Blackhole Prefix next-hop address BGP Communities
202.3.78.3/32 103.16.102.6 65535:666 no-export
2001:df0:214::3/128 2001:DE8:12:100::6 (Global)
FE80::DEAD:BEEF:6666:6666 (Link-Local)
65535:666 no-export
  • RS only allowed blackhole IP prefixes from below size:

/24 =< IPv4 prefix length =< /32
/64 =< IPv6 prefix length =< /128

  • Members should advertise blackhole IP prefixes only from range of their own address space.
  • Blackhole IP prefixes should not be advertise outside their local AS.
  • The maximum number of blackhole prefix that can be advertised is limited by:

(blackhole + standard prefix) < max-prefix

  • To signal an IP prefix for blackholing, marked the prefix with BLACKHOLE community before advertising to RS. This outbound blackhole policy should be place above any existing policies if necessary.
# Create IPv4v6 static route for victim address
ip route X.X.X.X 255.255.255.255 <IPv4-next-hop-to-victim-address>
ipv6 route Y:Y:Y:Y::Y/128 <IPv6-next-hop-to-victim-address>

# Create IPv4v6 blackhole prefix-list for matching later
ip prefix-list RTBH-IPv4-LIST seq 5 permit X.X.X.X/32
ipv6 prefix-list RTBH-IPv6-LIST seq 5 permit Y:Y:Y:Y::Y/128

# IPv4 outbound policy snippet
route-map SGIX-IPv4-OUT permit 10              # create new blackhole policy
  match ip address prefix-list RTBH-IPv4-LIST  # match blackhole prefix-list
  set community 65535:666                      # set BLACKHOLE community
route-map SGIX-IPv4-OUT permit 20              # existing outbound policy
  <existing inbound policies>                  # existing match statement

# IPv6 outbound policy snippet
route-map SGIX-IPv6-OUT permit 10                # create new blackhole policy
  match ipv6 address prefix-list RTBH-IPv6-LIST  # match blackhole prefix-list
  set community 65535:666                        # set BLACKHOLE community
route-map SGIX-IPv6-OUT permit 20                # existing outbound policy
  <existing inbound policies>                    # existing match statement

# BGP configuration snippet
router bgp <your_ASN>
  address-family ipv4
    network X.X.X.X mask 255.255.255.255                # Advertise IPv4 blackhole prefix
    neighbor 103.16.102.12 route-map SGIX-IPv4-OUT out  # RS1
    neighbor 103.16.102.13 route-map SGIX-IPv4-OUT out  # RS2
  exit-address-family

  address-family ipv6
    network Y:Y:Y:Y::Y/128                                    # Advertise IPv6 blackhole prefix
    neighbor 2001:DE8:12:100::12 route-map SGIX-IPv6-OUT out  # RS1
    neighbor 2001:DE8:12:100::13 route-map SGIX-IPv6-OUT out  # RS2
  exit-address-family

 

  • Members can target blackhole IP prefixes to specific ASN by combining it with SGIX standard community filtering (the default is announced to all ASN).
0:55518 Block announcement of prefixes to all ASN
0:ASN Block announcement of prefixes to this ASN only
55518:ASN Announce prefixes to this ASN only
# Example 1
route-map SGIX-IPv4-OUT permit 10
  match ip address prefix-list RTBH-IPv4-LIST  # match IPv4 blackhole prefix-list
  set community 65535:666 0:1234 0:5678        # blackhole to all except ASN 1234 and 5678

# Example 2
route-map SGIX-IPv4-OUT permit 10
  match ip address prefix-list RTBH-IPv4-LIST    # match IPv4 blackhole prefix-list
  set community 65535:666 55518:1234 55518:5678  # blackhole to only ASN 1234 and 5678

Blackholing via Direct Peering

Below are some criteria and restrictions for blackholing via direct peering:

  • Members MUST enable BGP send-community for both IPv4 and IPv6 address-family.
  • Use of RFC7999 BLACKHOLE community for prefix marking and matching is optional but recommended.
  • Members must allow IP prefixes marked with blackhole community (either RFC7999 or custom community) through their inbound filter.
  • Blackhole IP prefix should include NO_EXPORT community to prevent it from leaking outside the local AS.
  • To signal an IP prefix for blackholing, manually set the respective address-family next-hop to SGIX blackhole next-hop address together with NO_EXPORT community before advertising to direct peer. For IPv6 address-family, both Global + Link-Local addresses MUST be included in the next-hop information.
# Create IPv4v6 static route for victim address
ip route X.X.X.X 255.255.255.255 <IPv4-next-hop-to-victim-address>
ipv6 route Y:Y:Y:Y::Y/128 <IPv6-next-hop-to-victim-address>

# Create IPv4v6 blackhole prefix-list for matching later
ip prefix-list RTBH-IPv4-LIST seq 5 permit X.X.X.X/32
ipv6 prefix-list RTBH-IPv6-LIST seq 5 permit Y:Y:Y:Y::Y/128

# IPv4 outbound policy snippet
route-map SGIX-IPv4-OUT permit 10               # create new blackhole policy
  match ip address prefix-list RTBH-IPv4-LIST   # match blackhole prefix-list
  set community 65535:666 no-export             # set BLACKHOLE & no-export community
  set ip next-hop 103.16.102.6                  # set SGIX blackhole next-hop address
route-map SGIX-IPv4-OUT permit 20               # existing outbound policy
  <existing inbound policies>                   # existing match statement

# IPv6 outbound policy snippet
route-map SGIX-IPv6-OUT permit 10                # create new blackhole policy
  match ipv6 address prefix-list RTBH-IPv6-LIST  # match blackhole prefix-list
  set community 65535:666 no-export              # set BLACKHOLE & no-export community
  set ipv6 next-hop 2001:DE8:12:100::6 FE80::DEAD:BEEF:6666:6666  # set SGIX blackhole next-hop address
route-map SGIX-IPv6-OUT permit 20                # existing outbound policy
  <existing inbound policies>                    # existing match statement

# BGP configuration snippet
router bgp <your_ASN>
  address-family ipv4
    network X.X.X.X mask 255.255.255.255                   # Advertise IPv4 blackhole prefix
    neighbor <peer_ipv4_addr> route-map SGIX-IPv4-OUT out  # Direct peer outbound policy
  exit-address-family

  address-family ipv6
    network Y:Y:Y:Y::Y/128                                 # Advertise IPv6 blackhole prefix
    neighbor <peer_ipv6_addr> route-map SGIX-IPv6-OUT out  # Direct peer outbound policy
  exit-address-family