Blackholing

DDOS threats protection

In order to help our members fight against DDoS (Distributed Denial of Service), we set up a BLACKHOLING (BH) service available in Paris and Marseille. 

 

What is black holing ?


The BH is a service enabling to tag a route in order to block DDoS or malicious traffic.


How does it work ?

The BH can be used by all the members connected to the routes servers or directly between them. A BH selective policy can be applied on the routes servers. We rolled out the service following the RFC7999.


How to use it ?

Using Routes Servers :
By applying the community called BLACKHOLE (65535:666) to a prefix, you force the next-hop to the blackhole router. We also apply the NO-EXPORT to this prefix.
The traffic which was threatening the member is dropped on the edge of the plateform, thus the attacked port gets protected.
The BH is available in IPV4 as well as in IPv6.
We advise our members to announce up to /32 netmask prefixes IPv4 and up to /128 in IPv6
 
Not using Routes Servers :
This service can be also used directly by the members by changing the next-hop of the Network Layer Reachability Information (NLRI). We advise you to set also NO-EXPORT community
 
Additionally, we keep track of all the announced prefixes with the BLACKHOLE community (from the beginning to the end of the announcement).

Informations


  • Paris IPv4 IPv6
    RS1
    37.49.236.250
    2001:7f8:54::250
    RS2
    37.49.236.251
    2001:7f8:54::251
    BH routeur
    37.49.237.0
    2001:7f8:54::1:0
  • Marseille IPv4 IPv6
    RS1
    37.49.232.1
    2001:7f8:54:5::1
    RS2
    37.49.232.2
    2001:7f8:54:5::2
    BH routeur
    37.49.232.253
    2001:7f8:54:5::253

BH router MAC address is: 66:66:66:66:66:66

Accepted prefixes

  •  

      IPv4 IPv6
    Standard
    8 < x < 24
    19 < x < 48
    Blackholing
    8 < x < 32
    19 < x < 128

Selective routing policies remain unchanged on the routes servers. Here are three case studies of our service on the routes servers

  • Informations
    ASN France-IX
    51706
    ASN Peer X
    6500X
    Blackhole Community
    65535:666
    Do not announce  to Peer X community
    0:Peer-as
    Announce to peer X community
    51706:Peer-as
    Do not announce to all peers' community
    51706:0
    Announce to all peers' community
    51706:51706

1: Announcement of a prefix with Blackhole community to all members

2: Announcement of a prefix with Blackhole community to one peer (PEER 2)

3: Announcement of a prefix with BLACKHOLE community to all the members except PEER 2 and PEER 3

Reminder : For the service to work properly, it is required that the members are accept ing prefixes following the RFC7999, in other words up to /32 netmask prefixes IPv4 and up to /128 in IPv6. 

GET STARTED NOW GET STARTED NOW