In order to help our members fight against DDoS (Distributed Denial of Service), we set up a BLACKHOLING (BH) service available in Paris and Marseille.
The BH is a service enabling to tag a route in order to block DDoS or malicious traffic.
The BH can be used by all the members connected to the routes servers or directly between them. A BH selective policy can be applied on the routes servers. We rolled out the service following the RFC7999.
Using Routes Servers :
By applying the community called BLACKHOLE (65535:666) to a prefix, you force the next-hop to the blackhole router. We also apply the NO-EXPORT to this prefix.
The traffic which was threatening the member is dropped on the edge of the plateform, thus the attacked port gets protected.
The BH is available in IPV4 as well as in IPv6.
We advise our members to announce up to /32 netmask prefixes IPv4 and up to /128 in IPv6
Not using Routes Servers :
This service can be also used directly by the members by changing the next-hop of the Network Layer Reachability Information (NLRI). We advise you to set also NO-EXPORT community
Additionally, we keep track of all the announced prefixes with the BLACKHOLE community (from the beginning to the end of the announcement).
Paris | IPv4 | IPv6 |
RS1 |
37.49.236.250 |
2001:7f8:54::250 |
RS2 |
37.49.236.251 |
2001:7f8:54::251 |
BH router |
37.49.237.0 |
2001:7f8:54::1:0 |
Marseille | IPv4 | IPv6 |
RS1 |
37.49.232.1 |
2001:7f8:54:5::1 |
RS2 |
37.49.232.2 |
2001:7f8:54:5::2 |
BH router |
37.49.232.253 |
2001:7f8:54:5::253 |
The MAC address of the BH router is :
66:66:66:66:66:66
IPv4 | IPv6 | |
Standard | 8 < x < 24 |
19 < x < 48 |
Blackholing | 8 < x < 32 |
19 < x < 128 |
Selective routing policies remain inchanged on the routes servers. Here are three case studies of our service on the routes servers:
Informations | |
ASN France-IX | 51706 |
ASN Peer X | 6500X |
Blackhole community | 65535:666 |
'Do not announce to Peer X' community | 0:Peer-as |
'Announce to Peer X' community | 51706:Peer-as |
'Do not announce to all peers' community | 51706:0 |
'Announce to all peers' community | 51706:51706 |
Announcement of a prefix with Blackhole community to all members
BGP announcement
Blackhole traffic
Legitimate traffic
/32 (65535:666)
/32 (65535:666)
Announcement of a prefix with Blackhole community to one peer (PEER 2)
BGP announcement
Blackhole traffic
Legitimate traffic
/32 (65535:666)
/32 (65535:666) (0:51706) (51706:65001)
Announcement of a prefix with BLACKHOLE community to all the members except PEER 2 and PEER 3
BGP announcement
Blackhole traffic
Legitimate traffic
/32 (65535:666)
/32 (65535:666) (0:65001) (0:65002)
Reminder : For the service to work properly, it is required that the members are accept ing prefixes following the RFC7999, in other words up to /32 netmask prefixes IPv4 and up to /128 in IPv6.
No extra cost.