Table of Contents

Blackholing Insights

Joseph Thorwest Updated by Joseph Thorwest

This article introduces you to our Blackholing Insights. With the Blackholing Insights, you get visual support when countering DDoS attacks while using Blackholing at DE-CIX.

The tool offers various statistics and insights into traffic affected by the Blackholing rules you've set. Traffic that is no longer visible to you, due to dropping (classical Blackholing) or filtering (Blackholing Advanced) is visualized on the dashboard.

The visualization is limited to the last four days. Traffic heading to any prefix with an active Blackholing rule is visualized. These statistics help you understand:

  • Where a DDoS attack originates
  • If the attack is ongoing
  • If attack parameters have changed
  • What traffic is affected by your Blackholing setup

Locations

Blackholing Insights is currently available for the following locations:

  • Dusseldorf
  • Frankfurt
  • Hamburg
  • Istanbul
  • Lisbon
  • Madrid
  • Madrid
  • Marseille
  • Munich
  • New York

What you can see on the dashboard

The following can be seen on the Blackholing Insights dashboard:

1. Time Picker

The time picker enables to choose a specific time span of interest. Data is available for a maximum of four days, regardless of the possibility to select different time periods. It is also possible to auto refresh the statistics. Data appears in the statistics about 30 seconds after their detection on the DE-CIX platform.

2. Filter

You can filter all statistics on the dashboard by parameters such as:

  • IXP ID (location)
  • Rule
  • Protocol
  • AS Number

The most convenient way to accomplish this is by selecting any preferred filter directly from a statistic by selecting "-" or "+" after you click on an item. Any active filter is displayed in "2." on the top left of the dashboard. From this location you can remove or adjust them.

3. Classical Blackholing Rules

This is a counter showing the number of classical Blackholing rules that this statistic tool is aware of. When changing the time picker to not include the latest minute, these statistics are empty. In case of uncertainty have a look into the DE-CIX looking glass for cross validation.

4. Advanced Blackholing Rules

This is a counter showing the number of Advanced Blackholing rules that this statistic tool is aware of. When changing the time picker to not include the latest minute, these statistics are empty. Again, in case of uncertainty one should have a look into the DE-CIX looking glass for cross validation.

5. Blackholed traffic

This table shows the traffic accounted to specific Blackholing rules, any item in the list can be used as filter for the dashboard. For classical Blackholing, it only shows the prefix. For Advanced Blackholing, it also displays additional attributes. For each active rule the combined volume of traffic and the IXP location is shown. ​

Limitations: Technically it is not possible to precisely map which packets are affected by rate limiting in the case of Blackholing Advanced. Therefore, any traffic matching the general rule is displayed. Additionally, also traffic matching an "allow" rule is displayed.

6. Traffic per Rule Histogram

These two prefix traffic histogram show traffic rates (in bits per second and packets per second) over time. The traffic is accounted per prefix according to the active blackhole rules. Data is available for a maximum of four days.

7. Packets per Rule Histogram

Traffic rates in packets per second over the course of time are depicted in the two prefix traffic histograms. The traffic is accounted per prefix according to the active blackhole rules. In comparison to to "6. Traffic per Rule Histogram" this statistic is able to provide a more fine-grained resolution down to seconds and therefore is able to show short bursts traffic. Data is available for a maximum of four days.

8. Top traffic relations

This sankey diagram depicts the top peers/neighbours the traffic towards your blackholed prefixes is coming from. This might help to identify the peers sending most attack traffic and to adjust the blacking rule by using action communities as "redistribute to". Note that only classical blackholing rules supports BGP action communities. Backholing Advanced does not support action communities to date.

9. Source Networks

This statistic provides a more detailed look onto the source of the traffic. In addition to the statistic "8. Top traffic relations", this statistic shows the true Internet source (origin) in the context to the forwarding by the direct peers/neighbours before the traffic reached the blackholed prefix. The inner ring provides details about the traffic share received from direct peers/neighbours in comparison to the outer ring, which provides the traffic share of the Internet source (origin of the traffic).

10. Packets source world map

This heat map visualizes the geographical distribution of the traffic's origin. For reflective DDoS attacks, you can see the traffic originating countries. This might be helpful while defending a DDoS attack. However, in the case of DDoS attacks sending attack traffic directly towards a blackholed prefix with spoofed source IP addresses, the geographical source may not be useful.

11. Number of Destination and Source IPs

These two statistics show the number of unique source and destination IP addresses.

12. Top source and destination Ips

This overview displays the share of traffic volume attributed to specific source and destination IP addresses in your blackholed traffic.

13. Top source and destination ports

This overview displays the share of traffic volume attributed to specific source and destination ports in your blackholed traffic.

14. IP versions and protocols

This overview displays the share of traffic volume by IP protocol (e.g., UDP, TCP, ICMP) and IP version within the blackholed traffic.

15. Active Blackholes

This statistic shows all blackholing rules that are currently visible on the platform. In comparison to the statistic in "5. Blackholed traffic", also rules that don't receive any traffic are displayed. The filed "bhVersion" refers to a:

  • 2 = "Blackholing Advanced" rule.
  • 1 = "Classical Blackholing" rule.

This table can be empty if the last minute is not covered by the selected time span by "1. Time Picker". Again, in case of uncertainty one should have a look into the DE-CIX looking glass for cross validation.

16. Inactive Rules (over limit)

The default rule limit for Blackholing Advanced is 20 rules per service. This table shows rules that haven't been activated due to exceeding this limit. If your individual limit has been extended, the table reflects this accurately, showing only the rules that weren't installed.

If you have any questions regarding the Blackholing Insights or if you encounter any problems, please do not hesitate to get in touch with our customer service.

How did we do?

Contact