DE-CIX/DaaS GlobePEER Blackholing Guide

Tim Witt Updated by Tim Witt

This guide covers the Blackholing Classic Service for DE-CIX and DE-CIX as a Service (DaaS) locations only. If you need more advanced and reliable filtering features, please refer to the Blackholing Advanced service documentation.

Blackholing is typically used to fight massive DDoS attacks which congest the physical connection between DE-CIX and a customer router. A detailed description of how Blackholing works at DE-CIX is available here (PDF).

Blackholing via direct peering

You have to set the corresponding next-hop manually when signaling a Blackhole on a direct/bilateral peering session. Please also ask your direct peers to accept up to /32 for IPv4 and up to /128 for IPv6 from you, for allowing the service to work correctly. The next-hop IPs can be found in table at DE-CIX and DaaS GlobePEER Service Info.

Blackholing via the route servers

If you want to blackhole a certain IP prefix by using the route servers, there are two ways of achieving this:

  • The BGP announcement carrying the IP prefix that should be blackholed is marked with the BLACKHOLE Community (65535:666). This is the recommended way as it makes the handling a lot easier.
  • The BGP announcement carrying the IP prefix that should be blackholed contains as next-hop a pre-defined Blackhole IP address. The table at DE-CIX and DaaS GlobePEER Service Info also lists the IPv4 and IPv6 Blackhole IP addresses for DE-CIX and interconnected IXPs.

Please do not set the NO_EXPORT or NO_ADVERTISE Community on the BGP announcements marked as Blackhole as this tells the route servers not to re-distribute this announcement. The route servers will add NO_EXPORT automatically.

How did we do?

Blackholing Advanced

Get in touch