Remotely-Triggered BlackHole : stopping DDOS traffic before the edge

When you are confronted with a DDOS, what’s better than to duck and cover? Not having to duck at all.

How can you achieve this? By working with your IP-transits and using a Remotely-Triggered Black Hole (RTBH). More often than not do IP transits offer such a complementary service.

A remotely-triggered black hole allows you to make an upstream AS discard or null-route traffic for prefixes. This means that instead of having your links towards the IP transits suffer the consequences of a DDOS attack, the IP-transits filter all traffic towards the prefix for you. Regardless of the exact way on how to implement it, the following is an example of what you can achieve with RTBH:



How does this usually work? Most IP-transits offer documentation on this matter, providing you with an overview on how to accomplish this. Some will require you to use a certain community. Others will want to engage in a separate EBGP multihop session.

Chances are that you are not relying on a single IP-transit, so you’ll be confronted with several guidelines that you’ll have to follow. Apart from that, you’ll also want to be able to use RTBH for the places where you connect to an IX and the rest of your network. Ideally, you can log in to 1 device and initiate RTBH for all these different places:



Implementing this is not that hard. Choosing the best device to accomplish this will depend largely on your network. You can choose to simply use an MX or you can choose to use some sort of a DDOS mitigation device.

Let’s take a look at an example where it is implemented from an MX router:



In the following configuration example, the MX will trigger RTBH-filtering for two IP transits and the internal network whenever a static route like this is configured on the router:

set routing-options static route 1.1.1.1/32 discard
set routing-options static route 1.1.1.1/32 no-install
set routing-options static route 1.1.1.1/32 tag 1600

By using different policies, we will make the MX trigger RTBH-routing. First, to make the MX RTBH-routing for the internal network, we could add the following term to the routing-policy:

set policy-options policy-statement ibgp term rtbh-routing from protocol static
set policy-options policy-statement ibgp term rtbh-routing from tag 1600
set policy-options policy-statement ibgp term rtbh-routing then next-hop 10.0.0.1
set policy-options policy-statement ibgp term rtbh-routing then accept

Evidently, the term needs to be inserted before any other possible match.

On to the RTBH-filtering with the IP-transits. To realize this, we need to configure a community, create EBGP multihop sessions and a corresponding policy that will match the static route:

set policy-options community rtbh members 500:500

set policy-options policy-statement rtbh term rtbh from protocol static
set policy-options policy-statement rtbh term rtbh from tag 1600
set policy-options policy-statement rtbh term rtbh from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement rtbh term rtbh then accept

set policy-options policy-statement rtbh-com term rtbh from protocol static
set policy-options policy-statement rtbh-com term rtbh from tag 1600
set policy-options policy-statement rtbh-com term rtbh from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement rtbh-com term rtbh then community add rtbh
set policy-options policy-statement rtbh-com term rtbh then accept

set protocols bgp group rtbh type external
set protocols bgp group rtbh multihop ttl 255
set protocols bgp group rtbh local-address 192.168.200.1
set protocols bgp group rtbh import reject-all
set protocols bgp group rtbh family inet unicast
set protocols bgp group rtbh export ebgp-iptransit
set protocols bgp group rtbh remove-private

set protocols bgp group rtbh neighbor 192.168.1.1 description "RTBH community"
set protocols bgp group rtbh neighbor 192.168.1.1 peer-as 1
set protocols bgp group rtbh neighbor 192.168.1.1 authentication-key "$kloisN-Ygo"
set protocols bgp group rtbh neighbor 192.168.1.1 export rtbh-com

set protocols bgp group rtbh neighbor 192.168.2.1 description "RTBH no community"
set protocols bgp group rtbh neighbor 192.168.2.1 peer-as 2
set protocols bgp group rtbh neighbor 192.168.2.1 authentication-key "$klos-Ygo"
set protocols bgp group rtbh neighbor 192.168.2.1 export rtbh

This way, you can trigger RTBH by configuring a static route on only 1 router. You will immediately filter on as many places as possible, improving the security of the network. You will be left with one last problem when you initiate RTBH-routing during a DDOS; you cannot see when the DDOS is over.

13-6-2015