Skip to main content
Blackholing Insights
D
Written by DE-CIX Consulting Team
Updated over 5 months ago

With the Blackholing Insights, you get visual support when countering DDoS attacks while using Backholing at DE-CIX.

The tool shows you a variety of statistics and provides a peak into the traffic affected by the Blackholing rules you have set. Traffic that is no longer visible to you, due to dropping (classical Blackholing) or filtering (Blackholing Advanced) is visualized on the dashboard.
โ€‹

The visualization is limited to the last four days. Any traffic going towards a prefixes with an active Blackholing rule is visualized. These statistics can help to understand where a DDoS attack is coming from, if the attack is still ongoing, if attack parameters changed, and what traffic is affected by your Blackholing setup.

Blackholing Insights is currently available for the following locations: Dusseldorf, Frankfurt, Hamburg, Istanbul, Lisbon, Madrid, Madrid, Marseille, Munich and New York.

What you can see on the dashboard

The following can be seen on the Blackholing Insights dashboard:

1. Time Picker

The time picker enables to choose a specific time span of interest. Data is available for a maximum of four days, regardless of the possibility to select different time periods. It is also possible to auto refresh the statistics. It takes approximately 30 seconds until the network traffic is displayed in the statistics from the time it was discovered on the DE-CIX platform.

2. Filter

It is possible to filter all statistics in the dashboard at once by e.g. IXP ID (location), rule, protocol, AS number. The most convenient way to accomplish this is by selecting any preferred fiter directly from a statistic by selecting "-" or "+" after having clicked on an item. Any active filter will be displayed in "2." on the top left of the dashboard and can be removed or adjusted from this location.

3. Classical Blackholing Rules

This is a counter showing the number of classical Blackholing rules that this statistic tool is aware of. When changing the time picker to not include the latest minute, this statistics will be empty. In case of uncertainty one should have a look into the DE-CIX looking glass for cross validation

4. Advanced Blackholing Rules

This is a counter showing the number of Advanced Blackholing rules that this statistic tool is aware of. When changing the time picker to not include the latest minute, this statistics will be empty. Again, in case of uncertainty one should have a look into the DE-CIX looking glass for cross validation.

5. Blackholed traffic

This table shows the traffic accounted to specific Blackholing rules, any item in the list can be used as filter for the dashboard. Actual rules are given, where for classical Blackholing this is just the prefix, for Advanced Blackholing rules can have additional attributes. For each active rule the combined volume of traffic and the IXP location is shown.
โ€‹
Limitations: Technically it is not possible to precisely map which packets are affected by rate limiting in the case of Blackholing Advanced. Therefore, any traffic matching the general rule is displayed. Additionally, also traffic matching an "allow" rule is displayed.

6. Traffic per Rule Histogram

Traffic rates in bits per second and packets per second over the course of time are depicted in the two prefix traffic histograms. The traffic is accounted per prefix according to the active blackhole rules. Data is available for a maximum of four days.

7. Packets per Rule Histogram

Traffic rates in packets per second over the course of time are depicted in the two prefix traffic histograms. The traffic is accounted per prefix according to the active blackhole rules. In comparison to to "6. Traffic per Rule Histogram" this statistic is able to provide a more fine grained resolution down to seconds and therefore is able to show short bursts traffic. Data is available for a maximum of four days.

8. Top traffic relations

This sankey diagram depicts the top peers/neighbours the traffic towards your blackholed prefixes is coming from. This might help to identify the peers sending most attack traffic and to adjust the blacking rule by using action communities as "redistribute to". Note that only classical blackholing rules can be used with BGP action communities. Backholing Advanced does not support action communities to date.

9. Source Networks

This statistic provides a more detailed look onto the source of the traffic. In addition to the statistic "8. Top traffic relations", this statistic shows the true Internet source (origin) in the context to the forwarding by the direct peers/neighbours before the traffic reached the blackholed prefix. The inner ring provides details about the traffic share received from direct peers/neighbours in comparison to the outer ring, which provides the traffic share of the Internet source (origin of the traffic).

10. Packets source world map

Heat map of the geographical distribution of the source of the traffic. With reflective DDoS attacks, you can see the traffic originating counties, which might be helpful while defending a DDoS attack. With DDoS attacks that send attack traffic directly towards a blackholed prefix with spoofed source IP addresses, the geographical source might be without value.

11. Number of Destination and Source IPs

These two statistics show the number of uniq source and destination IP addresses.

12. Top source and destination IPs

The share of the traffic volume for the source and destination IPs in your blackholed traffic.

13. Top source and destination ports

The share of the traffic volume for source and destination ports within the blackholed traffic.

14. IP versions and protocols

The share of the traffic volume regarding the IP protocol (UDP, TCP, ICMP, etc.) and IP version within the blackholed traffic.

15. Active Blackholes

This statistic show all blackholing rules that are currently visible on the platform. In comparison to the statistic in "5. Blackholed traffic", also rules that don't receive any traffic are displayed. The filed "bhVersion" refers to a 2="Blackholing Advanced" and 1="classical Blackholing" rule. This table can be empty if the last minute is not covered by the selected time span by "1. Time Picker". Again, in case of uncertainty one should have a look into the DE-CIX looking glass for cross validation.

16. Inactive Rules (over limit)

For Blackholing Advanced a default limit of 20 rules per service exist. The rules that haven't been activated due to exceeding this limit are displayed in this table. If the limit of 20 rules was expanded on an individual basis this will be correctly reflected by this table, only rules that haven't been installed are displayed in the table.

If you have any questions regarding the Blackholing Insights or if you encounter any problems, please do not hesitate to contact us.

Did this answer your question?