Fight DDoS attacks with targeted rules on different layers
The DE-CIX Blackholing feature has been used increasingly since its inception, and our customers have asked us to extend its functionalities. In the face of ever-growing DDoS attacks, DE-CIX has now developed a new feature called Blackholing Advanced. Blackholing Advanced is an extension of the existing Blackholing feature, currently in a beta version and only available at DE-CIX Frankfurt. The feature is not activated by default. If you want to use the Blackholing Advanced feature, please activate the service in the DE-CIX customer portal.
Shape your DDoS traffic and analyze dropped traffic
Standard Blackholing removes unwanted traffic completely from your port. By doing so, you lose the ability to gather traffic statistics to see when traffic patterns change, e.g. if a DDoS attack is over. The Blackholing Advanced mechanism solves this problem by allowing you to shape the traffic routed to the blackholed prefix. Thus, you are still able to inspect a portion of the traffic while protecting your infrastructure from congestion at the same time. This visibility enables you to announce and withdraw Blackholing routes in a more efficient way, optimizing your response to the DDoS attack.
The dropped traffic can be analyzed with Blackholing Insights.
Filter on the transport protocol and port level
The existing Blackholing mechanism is of a binary nature on the prefix level. As a result, all traffic is discarded, including legitimate traffic. From your perspective, a blackholed DDoS attack still at least partially achieves the attack’s objective by rendering your service unreachable for a part of the Internet. At the same time, the vast majority of Blackholing traffic traversing the DE-CIX platform is traffic caused by volumetric DDoS attacks using reflection via well-known vulnerable services/protocols like DNS or NTP. These attacks can be blocked easily by filtering for the transport protocol source port. Consequently, Blackholing Advanced allows you to selectively filter for transport protocols and transport protocol ports.
Get rid of the single IP address acceptance problem
With the current Blackholing solution, a fine-grained protection of prefixes is only possible if the peering ASs accept prefixes up to a size of /32 (IPv4) or /128 (IPv6). Daily operation has shown that this is not always the case. This means that even if a prefix is announced as a blackhole, the prefix might still see DDoS traffic. Blackholing Advanced solves this problem by relying only on routers/switches owned and managed by DE-CIX.
Help us to improve the feature
After activating the Blackholing Advanced feature, multiple rules to drop or shape the traffic are currently available and can be used to block specific IP packets by using Extended BGP Communities to initiate the service. If the rule you need is not available, please let us know by sending an email to firstname.lastname@example.org. New rules will be added on request.
More information about how the feature works, what rules you can apply, and on Blackholing Insights to analyze the dropped traffic can be found in the DE-CIX Customer Portal.