In order to help our members fight against DDoS (Distributed Denial of Service), we set up a BLACKHOLING (BH) service available in Paris and Marseille.
What is black holing ?
The BH is a service enabling to tag a route in order to block DDoS or malicious traffic.
How does it work ?
The BH can be used by all the members connected to the routes servers or directly between them. A BH selective policy can be applied on the routes servers. We rolled out the service following the RFC7999.
How to use it ?
Using Routes Servers : By applying the community called BLACKHOLE (65535:666) to a prefix, you force the next-hop to the blackhole router. We also apply the NO-EXPORT to this prefix. The traffic which was threatening the member is dropped on the edge of the plateform, thus the attacked port gets protected. The BH is available in IPV4 as well as in IPv6. We advise our members to announce up to /32 netmask prefixes IPv4 and up to /128 in IPv6
Not using Routes Servers : This service can be also used directly by the members by changing the next-hop of the Network Layer Reachability Information (NLRI). We advise you to set also NO-EXPORT community
Additionally, we keep track of all the announced prefixes with the BLACKHOLE community (from the beginning to the end of the announcement).
Informations
Paris
IPv4
IPv6
RS1
37.49.236.250
2001:7f8:54::250
RS2
37.49.236.251
2001:7f8:54::251
BH routeur
37.49.237.0
2001:7f8:54::1:0
Marseille
IPv4
IPv6
RS1
37.49.232.1
2001:7f8:54:5::1
RS2
37.49.232.2
2001:7f8:54:5::2
BH routeur
37.49.232.253
2001:7f8:54:5::253
BH router MAC address is: 66:66:66:66:66:66
Accepted prefixes
IPv4
IPv6
Standard
8 < x < 24
19 < x < 48
Blackholing
8 < x < 32
19 < x < 128
Selective routing policies remain unchanged on the routes servers. Here are three case studies of our service on the routes servers
Informations
ASN France-IX
51706
ASN Peer X
6500X
Blackhole Community
65535:666
Do not announce to Peer X community
0:Peer-as
Announce to peer X community
51706:Peer-as
Do not announce to all peers' community
51706:0
Announce to all peers' community
51706:51706
1: Announcement of a prefix with Blackhole community to all members
2: Announcement of a prefix with Blackhole community to one peer (PEER 2)
3: Announcement of a prefix with BLACKHOLE community to all the members except PEER 2 and PEER 3
Reminder : For the service to work properly, it is required that the members are accept ing prefixes following the RFC7999, in other words up to /32 netmask prefixes IPv4 and up to /128 in IPv6.