Table of Contents

Blackholing Advanced

Tim Witt Updated by Tim Witt

This article explains the Blackholing Advanced service, detailing its features, usage scenarios, and how it allows for more granular control in mitigating specific types of traffic during DDoS attacks.

How it works

The current DE-CIX Blackholing service can completely block traffic to destination IP addresses under attack. However, this takes the destination completely offline and means the attacker wins.

With the Blackholing Advanced service, you can now block specific types of IP packets or target smaller sets of IP addresses, including individual addresses. This feature is not activated by default. To use it, activate the service here for your access service.

IP in the following documentation always means IPv4 or IPv6 – the service is the same for both.

When to use Blackholing Advanced

To use Blackholing Advanced, you need to analyze the attack and identify the targeted IP addresses and, ideally, the specific packet types to block. Many DoS or DDoS attacks involve only one packet type, such as TCP or UDP packets with specific destination or source port IDs.

Once you've analyzed the attack, verify if DE-CIX can block the packet type (see the list below). If we can't block that specific type, you can block the next broader type, such as all UDP traffic.

Requirements for using the service

The service uses extended communities according to RFC4360. Your router must tag the prefixes to be blackholed with the extended communities described below and announce them to any/all of the DE-CIX route server(s).

The list below shows all rules the Blackholing Advanced feature currently offers. If you think any blocking rules should be added, you are very welcome to contact us (blackholingadvanced@de-cix.net) and let us know – we need your feedback to improve our service! Although we cannot simply add new rules on the fly, we may consider them in future service updates.

Available Blackholing Advanced rules

Multiple rules are currently available. You can use them to block specific IP packets using Extended BGP Communities. This service allows you to either drop or shape packets (reduce them to 5 Mbps). Moreover, it is possible, to exempt certain packets from dropping or shaping. This allows to, e.g., drop all UDP packets for a specific IP while letting DNS traffic still pass.

A full list of the existing rules can be found here.

In the following table you find some examples of existing rules.

Rule

Drop Community (all packets matching the rule will be dropped)

Shape Community (all packets matching the rule will be shaped to max. 5Mbps)

All traffic

RT:6695:4200000000

RT:6695:4200000001

UDP

RT:6695:4200000002

RT:6695:4200000003

UDP, source port = 0 (unassigned)

RT:6695:4200000004

RT:6695:4200000005

UDP, source port = 19 (CharGen)

RT:6695:4200000006

RT:6695:4200000007

UDP, source port = 53 (DNS)

RT:6695:4200000008

RT:6695:4200000009

UDP, source port = 123 (NTP)

RT:6695:4200000010

RT:6695:4200000011

UDP, source port = 389 (LDAP)

RT:6695:4200000012

RT:6695:4200000013

UDP, source port = 11211 (Memcached)

RT:6695:4200000014

RT:6695:4200000015

Please note: Keep in mind that in the rules listing a port we match against a specific source port and any destination port. If the rule you need is not available, please let us know by sending an email to blackholingadvanced@de-cix.net. We add the new rules if enough demand exist, but the system can't handle an unlimited number of rules, so some restrictions apply.

Minimal Setup

For a minimal setup, you can

  • Add the extended community (RT:6695:4200000000) to your existing blackholing announcements. This mimics standard blackholing but filters 100% reliably.
  • Add the extended community (RT:6695:4200000002) to your existing blackholing announcements. This filters all UDP traffic. UDP traffic makes up for 80% of DDoS traffic at DE-CIX, so this filter therefore most likely solves all DDoS problems on your port.

Service restrictions:
  • Rule Limit: The number of filters per GlobePEER service is limited to 20 rules due to hardware constraints. Each prefix and each community counts as a rule. For example, announcing three /32 IPv4 prefixes with two communities each counts as six rules. This limit applies to both IPv4 and IPv6 rules combined. You don’t get a warning if you exceed 20 rules. Newer rules override older ones.
  • Debugging: You can verify whether your communities are accepted by our route servers by using the DE-CIX Looking Glass. The filter communities are tagged. Please note that the Looking Glass does not provide you with feedback on when and whether the rule applies. You can retrieve this, along with the characteristics of dropped traffic, in the Blackholing Insights tool.
  • IRR/RPKI: The prefix you blackhole must be covered by IRR entries and/or RPKI entries. More specifics than /24 (v4) and /48 (v6) are accepted.
  • ARP: Standard ARP traffic shaping must be deactivated when you use this service. So, if you blackhole IP addresses, you might receive more ARP traffic.
  • Shaping: Traffic shaping allows up to 5 Mbps for the given rule. You can request a different shaping bandwidth by contacting blackholingadvanced@de-cix.net.
  • Update frequency: Due to the use of filters on our devices, there may be a common delay of 30 to 180 seconds between announcing a prefix with blackholing communities and the filter becoming active.

Disclaimer

We are currently in the beta version of the new DE-CIX Blackholing Advanced service, which is still undergoing final testing. We provide the service on an as-is and as-available basis.

Important:

DE-CIX does not give any warranties, whether expressly or implied, as to the suitability or usability of the service. To the extent permitted by law, DE-CIX will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of this service.

Any interaction is done at the customer’s own risk and the customer will be solely responsible for any damage to any computer system or loss of data that results from such activities. Liability for damages will be solely restricted to intent and gross negligence.

Should you encounter any bugs, glitches, lack of functionality or other problems of the service, please let us know immediately by notifying us at blackholingadvanced@de-cix.net so we can rectify these accordingly. Your help in this regard is greatly appreciated.

 

Need help? Get in touch with our customer service.

How did we do?

Introduction and Product Overview

DE-CIX/DaaS GlobePEER Blackholing Guide

Get in touch