This document discusses blackholing from a provider's perspective. It describes how blackholing can be implemented at the provider's upstreams and internet exchange points (IXPs). The document also discusses using FastNetMon for DDoS attack detection and implementing blackholing policies on routers to discard attack traffic in the case of a detected DDoS attack.
7. Blackholing at upstreams
Generally works, but:
not enabled by default
no common community
65535:666
(https://tools.ietf.org/id/draft-ymbk-grow-blackholing-01.txt)
7
10. Blackholing at IXPs
But peers still do NOT accept..
• more-specifics for /24 & /48.
• rewrite of the next-hop
10
11. Blackholing at IXPs
DE-CIX supports it, let’s make it more successful.
Modify your policy, accept blackhole announcements!
term IMPORT-DECIX-BLACKHOLE {
from {
next-hop 80.81.193.66;
prefix-list-filter $PEER orlonger;
route-filter 0.0.0.0/0 prefix-length-range /32-/32;
}
then {
community add no-export;
accept;
}
}
11
12. Unwanted Traffic Removal Service
https://www.cymru.com/jtk/misc/utrs.html
Source: https://www.team-cymru.org/UTRS
14. UTRS
• RIPEstat API for route validation
• 142 networks connected
• 9500 announcements yearly
14
SysEleven:
inet.0: 594972 destinations, 4408624 routes (591272 active, 0 holddown, 7418 hidden)
Prefix Nexthop MED Lclpref AS path
* 37.44.0.1/32 192.0.2.1 64496 25291 I
UTRS participant:
37.44.0.1/32 *[BGP/170] 02:23:40, localpref 200, from 154.35.**.**
AS path: 64496 25291 I, validation-state: unverified
Discard
15. UTRS
Implementation is easy.
policy-statement 4-CYMRU-UTRS-OUT {
term BLACKHOLE {
from {
community SYS11_BLACKHOLE;
route-filter 0.0.0.0/0 prefix-length-range /32-/32;
}
then {
community add CYMRU-UTRS_BLACKHOLE;
community add no-export;
next-hop 192.0.2.1;
accept;
}
}
15
policy-statement 4-CYMRU-UTRS-IN {
term BLACKHOLE {
from {
community CYMRU-UTRS_BLACKHOLE;
route-filter 0.0.0.0/0 prefix-length-range /32-/32;
}
then {
community add SYS11_BLACKHOLE;
community add no-export;
next-hop discard;
accept;
}
}
21. Blackholing in case of attack
If there’s a DDoS detected:
tvoss@router1# show | compare
[edit routing-options flow]
+ route 109.68.230.206/32 {
+ match {
+ destination 109.68.230.206/32;
+ protocol udp;
+ port [ 0 4444 ];
+ }
+ then {
+ discard;
+ }
21
22. Blackholing in case of attack
If there’s a DDoS detected:
tvoss@router2> show route table inetflow.0
inetflow.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
109.68.230.206,*,proto=17,port=0,=4444/term:1 (1 entry, 1 announced)
*BGP Preference: 170/-101
Next hop type: Fictitious
Announcement bits (1): 0-Flow
Communities: traffic-rate:0:0
Accepted
Validation state: Accept, Originator: 37.44.7.60
Via: 109.68.230.0/24, Active
22
23. Blackholing in case of attack
If we can’t handle the attack bandwidth:
23
Announce /24
to Upstreams & DE-CIX
Start /32 blackholing to
Upstreams, DE-CIX & UTRS
route 37.44.0.0/24 {
next-hop $nexthop;
community 25291:555;
}
route 37.44.0.1/32 {
discard;
community 25291:666;
}
route 37.44.0.0/24 {
next-hop $nexthop;
community 25291:444;
}
Stop announcing
/24 at DE-CIX
24. Blackholing in case of attack24
Upstreams
more-specific attracts traffic
/32 will be discarded
/32 discard in source
network by UTRS
Source Networks
X
X