The blackhole service can be used by LU-CIX members to fight against DDoS (Distributed Denial of Service) attacks or malicious traffic.
Architecture and how it works
The basic blackholing architecture is based on a standalone route-server which, if presented with a prefix, will assign a next-hop (for this prefix) resolving to a filtered MAC address.
What we have in place is:
- a blackhole route-server,
- a blackhole machine/router which has the next-hop address and answers to ARP requests with a predefined MAC address,
- MAC access-lists filtering the predefined MAC address ingress on each member port.
By applying the blackhole community (65535:666) to a prefix announced to the blackhole route-server, this route server re-announces the prefix while forcing the next-hop to the blackhole router. NO-EXPORT and BLACKHOLE are also applied to this prefix. Traffic towards the blackholed prefix is dropped on the edge of the LU-CIX infrastructure.
Please note that blackholing only works for traffic where the *sending* member is accepting routes from the blackhole route server.
Announcements are accepted for blackholing if:
- the prefix is more specific than what is allowed on the LU-CIX RS1 and RS2
- /26-/32 for IPv4,
- /49-/128 for IPv6.
- the prefix is tagged with the blackhole community (65535:666),
- a member may announce his own prefixes and those of his customers, he may NOT announce prefixes of a customer who is also a member and directly connected to LU-CIX,
- all received communities are dropped, and BLACKHOLE and NO-EXPORT communities are set (cf. RFC7999) (Note: this does not prevent a member to act on a received prefix, but it should prevent him from forwarding it inadvertently).
We advise our members to announce and accept up to /32 netmask prefixes IPv4 and up to /128 in IPv6.
- Name: rs-bh.lu-cix.lu
- IPv4 address: 220.127.116.11
- IPv6 address: 2001:7f8:4c::ffff:6
- Name: bh.lu-cix.lu
- IPv4 address: 18.104.22.168
- IPv6 address: 2001:7f8:4c::ffff:aaaa
- Fixed mac address: 66:66:66:66:66:66
How much does the blackhole service cost?
- No additional cost.
For the service to work properly, it is required that the members are accepting prefixes following the RFC7999, in other words up to /32 netmask prefixes IPv4 and up to /128 in IPv6.
In order to make the service valuable for the entire LU-CIX community, we recommend that members set up a BGP session with the blackhole route-server to accept blackholing routes as mentioned above, but also have the session ready and tested for blackholing their own prefixes, in order to be able to activate the service under stressful conditions.
In case of questions please contact: support[at]lu-cix[dot]lu