UAE-IX Blackholing Guide
Blackholing is typically used to fight massive DDoS attacks which congest the physical connection between UAE-IX and a customer router. A detailed description of how Blackholing works at UAE-IX is available here.
Besides signaling a blackhole via direct peering, you can signal blackholes via the route servers at UAE-IX.
Blackholing via direct peering
You have to set the corresponding next-hop manually (please see table below) when signaling a blackhole on a direct peering session. Please also ask you peers to accept up to /32 for IPv4 and up to /128 for IPv6 from you, for allowing the service to work correctly.
Blackholing via the Route Servers
The re-distribution of BGP announcements by the Blackholing route server can be controlled the same way as with conventional route servers.
If you want to blackhole a certain IP prefix by using the conventional or Blackholing route servers, there are two ways of achieving this:
- The BGP announcement carrying the IP prefix that should be blackholed is marked with the BLACKHOLE BGP Community (65535:666). This is the recommended way as it makes the handling a lot easier.
- The BGP announcement carrying the IP prefix that should be blackholed contains as next-hop a pre-defined blackhole IP address. The table below lists the IPv4 and IPv6 blackhole IP addresses for UAE-IX and interconnected IXPs:
|IXP||Blackhole Next-Hop IP address IPv4||Blackhole Next-Hop IP address IPv6||BGP BLACKHOLE Community|
Please do not set the NO-EXPORT or NO-ADVERTISE Community on the BGP announcements marked as blackhole as this tells the route servers to not re-distribute this announcement. The route servers will add NO-EXPORT automatically.
Configuration examples of how to setup a BGP session to the Blackholing route server can be found in the UAE-IX Route Server Guide.
Blackholing via the dedicated Blackholing Route Servers
The idea behind providing a Blackholing route server is that some router vendors do not support the acceptance of /32 (IPv4) or /128 (IPv6) BGP announcements, depending on the availability of the Blackhole BGP community, or a particular next hop. With a specific Blackholing route server, peers can (and should) accept /32 (IPv4) or /128 (IPv6) announcements from this route server without having to change the BGP connection to conventional route servers.
The Blackholing route server consists of one machine. The software utilized to provide the Blackholing route server service is BIRD.
The Blackholing route server is connected to the conventional route server system. All BGP announcements that are marked as blackholes (e.g. by rewriting the next hop to the pre-defined Blackholing IP address, or by tagging the BGP announcement with the Blackhole BGP Community) received by the conventional route server system, or a Blackholing route server, are automatically redistributed to the other route server system.
If the Blackholing route server receives a BGP announcement marked as a blackhole, the NO-EXPORT community and the BLACKHOLE community are added if these communities are not already available. This makes sure that each BGP announcement marked as blackhole can be easily filtered and does not spread widely in the Internet routing system.
The Blackholing route server accepts only BGP announcements marked as blackholes. If a BGP announcement is not marked as a blackhole, the announcement is rejected. The reason for this is that UAE-IX wants to make sure that if by accident BGP announcements are leaked to the Blackholing route server, no blackholes are triggered.
The following matrix summarises the Blackholing features available at the conventional and at the Blackholing route server systems:
|rs1 / rs2||rsbh|
|Support for Blackholing||yes||yes|
|BLACKHOLE BGP Community (RFC7999) support for signalling a blackhole||yes||yes|
|Automatic BGP next-hop rewrite to pre-defined blackhole IP for BGP announcements marked as blackholes||yes||yes|
|Dedicated BGP session for blackhole announcements: restrict your filters to blackholes only and safely accept up to /32 (IPv4) and /128 (IPv6)||no||yes|