Blackholing Guide

Blackholing is typically used to fight massive DDoS attacks which congest the physical connection between DE-CIX and a customer router. A detailed description how Blackholing works at DE-CIX is available here.

Besides signaling a blackhole via direct peering, you can signal blackholes via the route servers at all exchanges except Berlin and Mumbai. In addition, we offer dedicated Blackholing route servers in Frankfurt and Dubai.

Blackholing via direct peering

You have to set the corresponding next-hop manually (please see table below) when signaling a Blackhole on a direct peering session.
Please also ask you peers to accept up to /32 for IPv4 and up to /128 for IPv6 from you for allowing the service to work correctly.

Blackholing via the route servers

The re-distribution of BGP announcements by the Blackholing route server can be controlled in the same way as with the conventional route servers.

If you want to blackhole a certain IP prefix by using the conventional or Blackholing route servers there are two ways of achieving this:

  • The BGP announcement carrying the IP prefix that should be blackholed is marked with the BLACKHOLE BGP Community (65535:666). Using the BLACKHOLE BGP Community is the recommended way of signaling a Blackhole as it makes handling a lot easier.
    or

  • The BGP announcement carrying the IP prefix that should be blackholed contains as next-hop a pre-defined Blackhole IP address. The table below lists the IPv4 and IPv6 Blackhole IP addresses for the different DE-CIX IXPs.

DE-CIX IXPBlackhole Next-Hop IPv4 addressBlackhole Next-Hop IPv6 addressBGP BLACKHOLE Community 
Frankfurt80.81.193.662001:7f8::1a27:66:95 65535:666
Dallas206.53.202.662001:504:61::f423:42:1
Dubai (UAE-IX)185.1.8.662001:7f8:73::efbe:42:1
Dusseldorf185.1.58.662001:7f8:9e::de3a:42:1
Hamburg80.81.203.662001:7f8:3d::a8f4:42:1
Istanbul185.1.48.662001:7f8:3f::50eb:42:1
Madrid185.1.68.662001:7f8:a0::be99:42:1
Marseille185.1.47.662001:7f8:36::50ed:42:1
Munich80.81.202.662001:7f8:44::b87c:42:1
New York206.130.10.662001:504:36::f63a:63:34
Palermo185.1.46.662001:7f8:32::61fb:42:1

Please do not set the NO-EXPORT or NO-ADVERTISE community on the BGP announcements marked as Blackhole as this tells the route servers to not re-distribute this announcement.

Configuration examples of how to setup a BGP session to the Blackholing route server can be found in the Route Server Guides.

Blackholing via the dedicated Blackholing route servers

In Frankfurt and Dubai (UAE-IX), we operate dedicated Blackholing route servers.

The idea behind providing a Blackholing route server is that some router vendors do not support the acceptance of /32 (IPv4) or /128 (IPv6) BGP announcement depending on the availability of the Blackhole BGP community or a particular next hop. With a specific Blackholing route server peers can (and should) accept /32 (IPv4) or /128 (IPv6) announcements from this route server without having to change the BGP connection to conventional route servers. 

rsbh.fra.de-cix.net80.81.192.1582001:7f8::1a27:5051:c09e
rsbh.uae-ix.net185.1.8.2522001:7f8:73::efbe:fc:1

The Blackholing route server consists of one machine. The software utilized to provide the Blackholing route server service is BIRD.

The Blackholing route server is connected to the conventional route server system. All BGP announcements that are marked as Blackholes (e.g. by rewriting the next hop to the pre-defined Blackholing IP address or by tagging the BGP announcement with the Blackhole BGP Community) received by the conventional route server system or a Blackholing route server are automatically redistributed to the other route server system.

If the Blackholing route server receives a BGP announcement marked as a Blackhole the NO-EXPORT community and the BLACKHOLE community are added if these communities are not already available. This makes sure each BGP announcement marked as Blackhole can be easily filtered and does not spread widely in the Internet routing system.

The Blackholing route server accepts only BGP announcements marked as Blackholes. If a BGP announcement is not marked as a Blackhole, the announcement is rejected. The reason for this is that DE-CIX wants to make sure that if by accident BGP announcement are leaked to the Blackholing route server no Blackholes are triggered.

Feature Matrix

The following matrix summaries the Blackholing features available at the conventional and Blackholing Route Server systems:

rs1/rs2rsbh
Support for Blackholing
BLACKHOLE BGP community support for signaling a Blackhole
Route Server sets the BLACKHOLE BGP Community and the NO-EXPORT Community (if not yet available) to BGP announcements marked as Blackholes
Rewrite the next-hop of BGP announcements to the pre-defined Blackhole IP for BGP announcements marked as Blackholes
Simple filters allowing /32 (IPv4) and /128 (IPv6) BGP announcements for Blackholes
Available at DE-CIX Frankfurt and UAE-IX Dubai