Remote Triggered Black Hole (RTBH) Routing to Mitigate DDOS


Remote Triggered Black Hole (RTBH) Routing to Mitigate DDOS

Border Gateway Protocol (BGP) is the protocol, which is designed to share routing, reachability and some other information among autonomous systems (AS). Border Gateway Protocol’s concepts and implementation were defined in RFC 1654. This RFC was made obsolete by RFC 1771 and RFC 4271. Autonomous System Numbers (ASNs) are assigned by Internet Assigned Numbers Authority (IANA) and creation, selection, and registration of an Autonomous System (AS) was defined in RFC 1930 and best current practice shown in BCP 6.

As is known, our country has been experiencing DDOS attacks for a week due to political distortions. Most of these attacks were originated from outside of the country, some of them from botnets in Turkey. Even though it is impossible to prevent the effects of DDOS attacks completely, throughout whole week, we observe how unsuccessful misconfigured DDOS boxes and BGP announces are.

In this blog post, I am going to talk about how to implement remote triggered black hole (RTBH) to mitigate the effect of the attacks. While facing with a volumetric DDOS attack that we couldn’t handle by using DDOS box and other conventional methods, the best way to mitigate the effects of the attack is stop the exporting of your IP subnets to the outside of the country by using (RTBH) filtering .

Assume a topology pictured below;

Picture1- Test Topology


Also assume that;

  • We have multi-homed Internet Service Provider (ISP) topology,
  • Subnets are and,
  • Our ASN is 65000,
  • ISP1 and ISP2’s ASNs are 100 and 200 respectively,
  • Our public subnet, which is announced to ISPs is,
  • Our default BGP configuration is following.

Step 1 : Creating Black Hole Community

ISPs are using 444 community for /24 and lower prefix lengths. And then, we need to inject our black hole community to our BGP neighbor. ie.100:444, 200:444.

Step 2 : Export Rule Modification 

As seen above, we have export rules assigned to both ISPs, named as ISP[1-2]_OUT. We need to modify our export rule to trigger our black hole request. There are several ways to prepare trigger method. One of them is modifying the prefix-list every time, the other one I am going to use is triggering by static route is very practical.

It is very critical to choose the unused tag and locate the blackhole rules at the top of export rule.

To insert the rules at the top ;

Now, we are ready to trigger the action!

Step 3: Triggering the Configuration

Our blackhole term of export rule was configured to always look for a static routes with the tag 444. So, it is must to commit a static route to tag the DDOS infected subnet.

Step 4: Observing the Result

In order to observe the effects of this trick, we use looking glass tools of the global ISPs such as TATA (AS6453), Telecom Italia Sparkle Seabone (AS6762), Telia (AS1299). If your configuration was successful, you won’t see any AS_path available on foreign ISPs’ looking glass. On the contrary,  In Superonline (AS 34984) and TurkTelekom (AS 9121) looking glass, there are going to be AS_path available.

To sum up, brief explanation of the whole steps are;

  • We set a static route which stamps our subnets with a tag 444.
  • Our export rules are always looking for a criteria that is a static route with 444 tag. If a matching  found, then inject it to the black hole community.
  • Then our export rules is going to announce the community to both ISPs.
  • And then, Internet service provider stops the announce of the our subnet towards to out side of our country.

If you have a question, please do not hesitate to ask me by leaving a comment.

Edit : Please also note that it is needed to have no-export rule configuration on your internet service provider side.

Best regards.


Please enter your comment!
Please enter your name here