picto statistiques Blackholing

  • Home »
  • Technical »
  • Blackholing
  • In order to help our members fight against DDoS (Distributed Denial of Service), we set up a BLACKHOLING (BH) service available in Paris and Marseille

     

    WHAT IS THE BLACKHOLING?

    The BH is a service enabling to tag a route in order to block DDoS or malicious traffic.

     

    HOW DOES IT WORK?

    The BH can be used by all the members connected to the routes servers or directly between them. A BH selective policy can be applied on the routes servers. We rolled out the service following the RFC7999.

     

    HOW TO BENEFIT?

    Using Routes Servers :

    By applying the community called BLACKHOLE (65535:666) to a prefix, you force the next-hop to the blackhole router. We also apply the NO-EXPORT to this prefix.

    The traffic which was threatening the member is dropped on the edge of the plateform, thus the attacked port gets protected.

    The BH is available in IPV4 as well as in IPv6.

    We advise our members to announce up to /32 netmask prefixes IPv4 and up to /128 in IPv6

     

    Not using Routes Servers : 

    This service can be also used directly by the members by changing the next-hop of the Network Layer Reachability Information (NLRI). We advise you to set also NO-EXPORT community 

     

    Additionally, we keep track of all the announced prefixes with the BLACKHOLE community (from the beginning to the end of the announcement).

     

    Informations

    Paris IPv4 IPv6
    RS1
    37.49.236.250
    2001:7f8:54::250
    RS2
    37.49.236.251
    2001:7f8:54::251
    BH router
    37.49.237.0
    2001:7f8:54::1:0
    Marseille IPv4 IPv6
    RS1
    37.49.232.1
    2001:7f8:54:5::1
    RS2
    37.49.232.2
    2001:7f8:54:5::2
    BH router
    37.49.232.253
    2001:7f8:54:5::253

    The MAC address of the BH router is :

    66:66:66:66:66:66

     

    Accepted prefixes

      IPv4 IPv6
    Standard
    8 < x < 24
    19 < x < 48
    Blackholing
    8 < x < 32
    19 < x < 128

     

    Selective routing policies remain inchanged on the routes servers. Here are three case studies of our service on the routes servers:

     
    Informations  
    ASN France-IX
    51706
    ASN Peer X
    6500X
    Blackhole community
    65535:666
    'Do not announce to Peer X' community
    0:Peer-as
    'Announce to Peer X' community
    51706:Peer-as
    'Do not announce to all peers' community
    51706:0
    'Announce to all peers' community
    51706:51706

     

    picto #1  Announcement of a prefix with Blackhole community to all members

    Schemas serveur de route Blackholing


    trait bleu et gris discontinu BGP announcement

    fleche rouge Blackhole traffic

    fleche vert Legitimate traffic

    cercle gris/32 (65535:666)

    cercle bleu/32 (65535:666)

     

     

    picto #2  Announcement of a prefix with Blackhole community to one peer (PEER 2)

     

    Schemas serveur de route Blackholing chez France-IX

     


    trait bleu et gris discontinu BGP announcement

    fleche rouge Blackhole traffic

    fleche vert Legitimate traffic

    cercle gris/32 (65535:666)

    cercle bleu/32 (65535:666) (0:51706) (51706:65001)

     

    picto #3  Announcement of a prefix with BLACKHOLE community to all the members except PEER 2 and PEER 3

     

    Schemas France-IX blackholing peering session


    trait bleu et gris discontinu BGP announcement

    fleche rouge Blackhole traffic

    fleche vert Legitimate traffic

    cercle gris/32 (65535:666)

    cercle bleu/32 (65535:666) (0:65001) (0:65002)

     

     

    Reminder : For the service to work properly, it is required that the members are accept ing prefixes following the RFC7999, in other words up to /32 netmask prefixes IPv4 and up to /128 in IPv6. 

     

    HOW MUCH DOES THIS SERVICE COST?

    No extra cost.