Blackholing
We decided to take blackholing further by offering what we consider to be a full-blown DDoS protection feature directly on our fabric.
You can use the well-known blackhole community to redirect traffic into a blackhole server. But that would mean the IP address/range would be unreachable. Instead, we offer the ability to filter the traffic on our fabric. Furthermore, you can filter by protocol and even a specific port.
On this scenario, you are getting a UDP flood at 192.0.2.65:53. With this feature, you can announce the route 192.0.2.65/32 with the community
33733:21:53
and our fabric will filter and drop all UDP traffic to 192.0.2.65:53. Neat, right? We call it magic blackholing.
Why have we deployed this? Because most DDoS attacks are UDP-based, and the majority of traffic is TCP. By not blocking entirely the IP address, you allow your customer to receive some traffic rather than complete downtime due to DDoS attacks.
Below is a table with the communities you can use for this purpose:
Description | Community |
---|---|
Block UDP traffic on a specific Port (can be used multiple times) |
33733:21:port
|
Block UDP traffic on all ports |
33733:21:0
|
Block TCP traffic on a specific Port (can be used multiple times) |
33733:22:port
|
Block TCP traffic on all ports |
33733:22:0
|
Due to the nature of this blackholing procedure, all blackholing routes will be treated as "NO-EXPORT". If we exported a blackhole route to a peer, then they would just drop all traffic on their side.