Blackholing is typically used to fight massive DDoS attacks which congest the physical connection between DE-CIX and a customer router. A detailed description how Blackholing works at DE-CIX is available here.
Besides signaling a blackhole via direct peering, you can signal blackholes via the route servers at all exchanges except Berlin and the Internet Exchanges in India and Russia. In addition, we offer dedicated Blackholing route servers in Frankfurt and Dubai.
Blackholing via direct peering
You have to set the corresponding next-hop manually (please see table below) when signaling a Blackhole on a direct peering session.
Please also ask you peers to accept up to /32 for IPv4 and up to /128 for IPv6 from you for allowing the service to work correctly.
Blackholing via the route servers
The re-distribution of BGP announcements by the Blackholing route server can be controlled in the same way as with the conventional route servers.
If you want to blackhole a certain IP prefix by using the conventional or Blackholing route servers there are two ways of achieving this:
- The BGP announcement carrying the IP prefix that should be blackholed is marked with the BLACKHOLE BGP Community (65535:666). Using the BLACKHOLE BGP Community is the recommended way of signaling a Blackhole as it makes handling a lot easier.
- The BGP announcement carrying the IP prefix that should be blackholed contains as next-hop a pre-defined Blackhole IP address. The table below lists the IPv4 and IPv6 Blackhole IP addresses for the different DE-CIX IXPs.
|IXP||Blackhole Next-Hop IPv4 address||Blackhole Next-Hop IPv6 address||BGP BLACKHOLE Community|
Please do not set the NO-EXPORT or NO-ADVERTISE community on the BGP announcements marked as Blackhole as this tells the route servers to not re-distribute this announcement.
Configuration examples of how to setup a BGP session to the Blackholing route server can be found in the Route Server Guides.
Blackholing via the dedicated Blackholing route servers
In Frankfurt and Dubai (UAE-IX), we operate dedicated Blackholing route servers.
The idea behind providing a Blackholing route server is that some router vendors do not support the acceptance of /32 (IPv4) or /128 (IPv6) BGP announcement depending on the availability of the Blackhole BGP community or a particular next hop. With a specific Blackholing route server peers can (and should) accept /32 (IPv4) or /128 (IPv6) announcements from this route server without having to change the BGP connection to conventional route servers.
The Blackholing route server consists of one machine. The software utilized to provide the Blackholing route server service is BIRD.
The Blackholing route server is connected to the conventional route server system. All BGP announcements that are marked as Blackholes (e.g. by rewriting the next hop to the pre-defined Blackholing IP address or by tagging the BGP announcement with the Blackhole BGP Community) received by the conventional route server system or a Blackholing route server are automatically redistributed to the other route server system.
If the Blackholing route server receives a BGP announcement marked as a Blackhole the NO-EXPORT community and the BLACKHOLE community are added if these communities are not already available. This makes sure each BGP announcement marked as Blackhole can be easily filtered and does not spread widely in the Internet routing system.
The Blackholing route server accepts only BGP announcements marked as Blackholes. If a BGP announcement is not marked as a Blackhole, the announcement is rejected. The reason for this is that DE-CIX wants to make sure that if by accident BGP announcement are leaked to the Blackholing route server no Blackholes are triggered.
The following matrix summaries the Blackholing features available at the conventional and Blackholing Route Server systems:
|Support for Blackholing||✓||✓|
|BLACKHOLE BGP community support for signaling a Blackhole||✓||✓|
|Automatic BGP next-hop rewrite to pre-defined Blackhole IP for BGP announcements marked as Blackholes||✓||✓|
|Dedicated BGP session for Blackhole announcements: restrict your filters to Blackholes only and safely accept up to /32 (IPv4) and /128 (IPv6)||✗||✓|
|Available at DE-CIX Frankfurt and UAE-IX||✓||✓|
|Available at DE-CIX IXPs except Frankfurt and UAE-IX Dubai||✓||✗|