[c-nsp] Sinkhole Routing

Pete Templin petelists at templin.org
Wed Sep 29 09:04:00 EDT 2004


Wojtek Zlobicki wrote:

> This method, often called blackhole, allows for a filtering load to be
> distributed.  Assuming a distributed DoS attack, when traffic is
> entering your upstream providers network at multiple points, creating
> a blackhole community allows for all traffic with a particular tag
> (666 is popular) to be null routed.  Each and every BGP speaking
> router at your provider will null route any traffic based on a given
> community, this way , when attacking hosts are entering a network at
> 50 points, the load is distributed, no single router is asked to
> filter megabits/gigabits of traffic.  Most providers allow their
> customers to send a route update with a blackhole community allows for
> traffic to one host to be null routed without having to call support.
> Keep in mind that this is applied upstream and not really at your
> router. Blackholes are a last resort, they are great for hosts that
> are expendable (a downstream customers DSL connection) but useless
> when the target is your primary mail/web server.  Most providers will
> blackhole a host over applying ACLs (to save CPU resources).

[Credit goes to whomever mentioned this first]

I've also heard of scenarios where a customer will announce their entire 
aggregate with the blackhole tag, and then generate more specific 
announcements without.  The provider accepts the aggregate, processes it 
internally as blackhole, and advertises it to their friends and 
neighbors normally.  The provider also accepts the more specifics, 
passes them throughout their network, and allows the more specific 
announcement to override the "default" blackhole behavior.

Took me a bit to re-engineer my customer inbound route maps, but a very 
logical application nonetheless.

pt


More information about the cisco-nsp mailing list