About Blackholing Service
To mitigate DDoS attack, SGIX provide a blackhole next-hop address for both IPv4 and IPv6 address-families. These next-hop addresses will resolves (via ARP/ND) to a predefined blackhole MAC address (de:ad:be:ef:66:66), which will be dropped by our switch port ingress filter where members are directly connected and thereby preventing DDoS traffic from reaching its destination. SGIX blackholing (BH) service is available on our Route Servers (RS) and members are encouraged to participate.
Below table contain SGIX blackhole next-hop address and BGP BLACKHOLE community information.
IPv4 Address | 103.16.102.6 |
IPv6 Global Address | 2001:DE8:12:100::6 |
IPv6 Link-Local Address | FE80::DEAD:BEEF:6666:6666 |
MAC Address | de:ad:be:ef:66:66 |
BLACKHOLE Community (RFC7999) | 65535:666 |
Blackholing via Route Server (RS)
Below are guideline and restrictions when using blackholing service via RS:
- To participate in SGIX blackholing service, members MUST allow IP v4v6 prefixes marked with BLACKHOLE community (65535:666) through their inbound filter. This blackholing inbound filter should be place above any existing inbound policies that you have to ensure it will not be bypass.
# Create BLACKHOLE community (RFC7999) ip community-list standard BLACKHOLE-COMM permit 65535:666 # IPv4 Inbound policy snippet route-map SGIX-IPv4-IN permit 10 # create new blackhole policy match community BLACKHOLE-COMM # match BLACKHOLE community route-map SGIX-IPv4-IN permit 20 # existing inbound policy <existing inbound policies> # existing match statement # IPv6 Inbound policy snippet route-map SGIX-IPv6-IN permit 10 # create new blackhole policy match community BLACKHOLE-COMM # match BLACKHOLE community route-map SGIX-IPv6-IN permit 20 # existing inbound policy <existing inbound policies> # existing match statement # BGP Inbound Policy snippet router bgp <your_ASN> .... address-family ipv4 neighbor 103.16.102.12 route-map SGIX-IPv4-IN in # RS1 IPv4 inbound policies neighbor 103.16.102.13 route-map SGIX-IPv4-IN in # RS2 IPv4 inbound policies exit-address-family .... address-family ipv6 neighbor 2001:DE8:12:100::12 route-map SGIX-IPv6-IN in # RS1 IPv6 inbound policies neighbor 2001:DE8:12:100::13 route-map SGIX-IPv6-IN in # RS2 IPv6 inbound policies exit-address-family |
- To ensure member’s inbound filter are configured correctly, SGIX provide a permanent test IP v4v6 blackhole prefixes. Member will need to verify they can receive this test prefix with correct next-hop address and BGP communities in their routing table.
Test IP v4v6 Blackhole Prefix | next-hop address | BGP Communities |
202.3.78.3/32 | 103.16.102.6 | 65535:666 no-export |
2001:df0:214::3/128 | 2001:DE8:12:100::6 (Global) FE80::DEAD:BEEF:6666:6666 (Link-Local) |
65535:666 no-export |
- To signal an IP prefix for blackholing, marked the prefix with BLACKHOLE community (65535:666) before advertising to RS. RS will automatically rewrite this prefix’s next-hop address to SGIX blackhole next-hop address and append the NO_EXPORT community before announcing to the rest of RS clients.
# Create IP v4v6 static route for victim address ip route X.X.X.X 255.255.255.255 <IPv4-next-hop-to-victim-address> ipv6 route Y:Y:Y:Y::Y/128 <IPv6-next-hop-to-victim-address> # Create IP v4v6 blackhole prefix-list for matching later ip prefix-list RTBH-IPv4-LIST seq 5 permit X.X.X.X/32 ipv6 prefix-list RTBH-IPv6-LIST seq 5 permit Y:Y:Y:Y::Y/128 # IPv4 outbound policy snippet route-map SGIX-IPv4-OUT permit 10 # create new blackhole policy match ip address prefix-list RTBH-IPv4-LIST # match blackhole prefix-list set community 65535:666 # set BLACKHOLE community route-map SGIX-IPv4-OUT permit 20 # existing outbound policy <existing outbound policies> # existing match statement # IPv6 outbound policy snippet route-map SGIX-IPv6-OUT permit 10 # create new blackhole policy match ipv6 address prefix-list RTBH-IPv6-LIST # match blackhole prefix-list set community 65535:666 # set BLACKHOLE community route-map SGIX-IPv6-OUT permit 20 # existing outbound policy <existing outbound policies> # existing match statement # BGP configuration snippet router bgp <your_ASN> address-family ipv4 network X.X.X.X mask 255.255.255.255 # Advertise IPv4 blackhole prefix neighbor 103.16.102.12 route-map SGIX-IPv4-OUT out # RS1 IPv4 outbound policy neighbor 103.16.102.13 route-map SGIX-IPv4-OUT out # RS2 IPv4 outbound policy exit-address-family address-family ipv6 network Y:Y:Y:Y::Y/128 # Advertise IPv6 blackhole prefix neighbor 2001:DE8:12:100::12 route-map SGIX-IPv6-OUT out # RS1 IPv6 outbound policy neighbor 2001:DE8:12:100::13 route-map SGIX-IPv6-OUT out # RS2 IPv6 outbound policy exit-address-family |
- Members MUST enable send-community for both BGP v4v6 address-family.
- RS only allowed blackhole IP prefixes from below size:
/24 =< IPv4 prefix length =< /32
/64 =< IPv6 prefix length =< /128
- Members can only advertise blackhole IP prefixes from their own address space.
- Blackhole IP prefixes should not be advertise outside their local AS.
- The maximum number of blackhole IP prefixes that can be advertised is limited by:
(blackhole + standard prefix) < max-prefix
- Members can target blackhole IP prefixes to specific ASN by combining it with SGIX standard community and large community filtering (the default is announced to all ASN).
Standard Community | Descriptions |
0:55518 | Block announcement of prefixes to all ASN |
0:$ASN | Block announcement of prefixes to this ASN only |
55518:$ASN | Announce prefixes to this ASN only |
Large Community | Descriptions |
55518:0:0 | Block announcement of prefixes to all ASN |
55518:0:$ASN* | Block announcement of prefixes to this ASN only |
55518:1:$ASN* | Announce prefixes to this ASN only |
*Please note that ASN is a four byte AS number you have to use for the BGP Large Communities.
# Example 1 route-map SGIX-IPv4-OUT permit 10 match ip address prefix-list RTBH-IPv4-LIST # match IPv4 blackhole prefix-list set community 65535:666 0:1234 0:5678 # blackhole to all except ASN 1234 and 5678 # Example 2 route-map SGIX-IPv4-OUT permit 10 match ip address prefix-list RTBH-IPv4-LIST # match IPv4 blackhole prefix-list set community 65535:666 55518:1234 55518:5678 # blackhole to only ASN 1234 and 5678 |
Blackholing via Direct Peering
Below are some guideline and restrictions for blackholing via direct peering:
- Members MUST enable send-community for both BGP v4v6 address-family.
- Use of RFC7999 BLACKHOLE community for prefix marking and matching is optional but recommended.
- Members must allow IP prefixes marked with blackhole community (either RFC7999 or custom community) through their inbound filter.
- Blackhole IP prefix should include NO_EXPORT community to prevent it from leaking outside the local AS.
- To signal an IP prefix for blackholing, manually set the respective address-family next-hop to SGIX blackhole next-hop address together with NO_EXPORT community before advertising to direct peer. For IPv6 address-family, both Global + Link-Local addresses MUST be included in the next-hop information.
# Create IP v4v6 static route for victim address ip route X.X.X.X 255.255.255.255 <IPv4-next-hop-to-victim-address> ipv6 route Y:Y:Y:Y::Y/128 <IPv6-next-hop-to-victim-address> # Create IP v4v6 blackhole prefix-list for matching later ip prefix-list RTBH-IPv4-LIST seq 5 permit X.X.X.X/32 ipv6 prefix-list RTBH-IPv6-LIST seq 5 permit Y:Y:Y:Y::Y/128 # IPv4 outbound policy snippet route-map SGIX-IPv4-OUT permit 10 # create new blackhole policy match ip address prefix-list RTBH-IPv4-LIST # match blackhole prefix-list set community 65535:666 no-export # set BLACKHOLE & no-export community set ip next-hop 103.16.102.6 # set SGIX blackhole next-hop address route-map SGIX-IPv4-OUT permit 20 # existing outbound policy <existing outbound policies> # existing match statement # IPv6 outbound policy snippet route-map SGIX-IPv6-OUT permit 10 # create new blackhole policy match ipv6 address prefix-list RTBH-IPv6-LIST # match blackhole prefix-list set community 65535:666 no-export # set BLACKHOLE & no-export community set ipv6 next-hop 2001:DE8:12:100::6 FE80::DEAD:BEEF:6666:6666 # set SGIX blackhole next-hop address route-map SGIX-IPv6-OUT permit 20 # existing outbound policy <existing outbound policies> # existing match statement # BGP configuration snippet router bgp <your_ASN> address-family ipv4 network X.X.X.X mask 255.255.255.255 # Advertise IPv4 blackhole prefix neighbor <peer_ipv4_addr> route-map SGIX-IPv4-OUT out # Direct peer outbound policy exit-address-family address-family ipv6 network Y:Y:Y:Y::Y/128 # Advertise IPv6 blackhole prefix neighbor <peer_ipv6_addr> route-map SGIX-IPv6-OUT out # Direct peer outbound policy exit-address-family |