How it works
The current DE-CIX Blackholing service can completely block traffic to destination IP addresses under attack. However, this takes the destination completely offline and means the attacker wins.
In our new, more finely tunable Blackholing Advanced service, it is possible to block only certain types of IP packets and to blackhole a smaller set of IP addresses, right through to individual ones. The feature is not activated by default. If you want to use the Blackholing Advanced feature please activate the service here for your access service.
IP in the following documentation always means IPv4 or IPv6 – the service is the same for both.
When to use Blackholing Advanced
Using Blackholing Advanced requires that you have analyzed the attack and know at minimum the targeted IP space and ideally you know what kind of packets should be blocked. Quite often DoS or DDoS attacks consist only of one type of IP packet – e.g. only TCP, or only UDP packets with a specific destination or source port ID. Once you have analyzed the attack, you can check whether DE-CIX can block this type of traffic (see below for a list). If we cannot block the specific packet type, you can choose the next more general type of packet, for instance blocking all UDP traffic.
Requirements for using the service
The service uses extended communities according to RFC4360. Your router must tag the prefixes to be blackholed with the extended communities described below and announce them to any/all of the DE-CIX route server(s). The list below shows all rules the Blackholing Advanced feature currently offers. If there are any blocking rules you think should be added, you are very welcome to contact us (email@example.com) and let us know – we need your feedback to improve our service! Although we cannot simply add new rules on the fly, we might add it in a future release of the service.
Available Blackholing Advanced rules
There are multiple rules currently available. They can be used to block specific IP packets by using Extended BGP Communities to initiate the service. It is possible to drop packets or to shape (reduce) packets to 5 Mbps. Moreover, it is possible, to exempt certain packets from dropping or shaping. This allows to, e.g., drop all UDP packets for a specific IP while letting DNS traffic still pass. In the following you find some examples of existing rules.
A full list of the existing rules can be found here.
UDP, source port = 0 (unassigned)
UDP, source port = 19 (CharGen)
UDP, source port = 53 (DNS)
UDP, source port = 123 (NTP)
UDP, source port = 389 (LDAP)
UDP, source port = 11211 (Memcached)
Please keep in mind that in the rules listing a port we match against a specific source port and any destination port. If the rule you need is not available, please let us know by sending an email to firstname.lastname@example.org. New rules will be added if there is enough demand, but as our system cannot accommodate an unlimited number of rules, we will have to make some choices.
For a minimal setup, you can
Add the extended community (RT:6695:4200000000) to your existing blackholing announcements. This mimics standard blackholing but will filter 100% reliably.
Add the extended community (RT:6695:4200000002) to your existing blackholing announcements. This will filter all UDP traffic. UDP traffic makes up for 80% of DDoS traffic at DE-CIX, so this filter will most likely solve any DDoS problems on your port.
Rule limit: The number of filters on your peering service is limited due to hardware restrictions. Currently, we allow 20 rules on your port. Each prefix and each community counts as a rule. So, if you announce three /32 IPv4 prefixes with two communities each, this counts as six rules. The filter limit applies for your IPv4 and IPv6 sessions collectively (e.g. 1 v4 rule and 2 v6 rules account for 3 rules in total). Please note that you won’t be warned if you set up more than 20 rules. If your announcements cover more than 20 rules, newer rules will be configured at the expense of older rules. To be on the safe side, simply do not announce more than 20 (prefixes * communities).
Debugging: You can verify whether your communities are accepted by our route servers by using the DE-CIX Looking Glass (https://lg.de-cix.net/). The filter communities are tagged. Please note that the Looking Glass does not provide you with feedback on when and whether the rule applies. This can be retrieved, along with the characteristics of dropped traffic, in the Blackholing Insights tool.
IRR/RPKI: The prefix you blackhole must be covered by IRR entries and/or RPKI entries. More specifics than /24 (v4) and /48 (v6) are accepted.
ARP: When the service is activated, the standard ARP traffic shaping has to be deactivated. So if you blackhole IP addresses, you might receive more ARP traffic.
Shaping: If a rule commands traffic shaping, then up to 5Mbps traffic is shaped for the given rule. The shaping bandwidth can be adapted upon request, please contact email@example.com.
Update frequency: As the implementation of this service uses filters on our devices, there is a small time-lag before these filters become active. Usually, it takes between 30 and 180 seconds between announcing a prefix with blackholing communities and the filter kicking in.
Please note that we are currently in the beta version of the new DE-CIX Blackholing Advanced service, which is still undergoing final testing. The service is provided on an as-is and as-available basis. DE-CIX does not give any warranties, whether expressly or implied, as to the suitability or usability of the service. To the extent permitted by law, DE-CIX will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party as a result of their use of the service.
Any interaction is done at the customer’s own risk and the customer will be solely responsible for any damage to any computer system or loss of data that results from such activities. Liability for damages will be solely restricted to intent and gross negligence.
Should you encounter any bugs, glitches, lack of functionality or other problems of the service, please let us know immediately by notifying us at firstname.lastname@example.org so we can rectify these accordingly. Your help in this regard is greatly appreciated.