Members sometimes need to mitigate against DDoS (Distributed Denial of Service) attacks.
The SIX provides a blackhole next-hop IP address for each address family and peering VLAN, which resolves to a blackhole MAC address. Any traffic sent to the blackhole MAC address is dropped by the SIX core switches at their edge thus reducing the packet flow toward the target of an attack. (Members connected to the fabric via an extension switch may not have traffic to them blocked from other members on the same extension.*)
Any member can configure their BGP peering to announce prefixes with a next-hop set to the blackhole IP address for a given address family and peering VLAN, as defined in this table:
VLAN (MTU) | Protocol | Blackhole IP Address | Blackhole MAC Address |
---|---|---|---|
Standard (1500) | IPv4 | 206.81.81.0 | 66:66:de:ad:be:ef |
Standard (1500) | IPv6 | 2001:504:16::6666:dead:beef | 66:66:de:ad:be:ef |
Jumbo (9000) | IPv4 | 206.81.83.0 | 66:66:de:ad:be:ef |
Jumbo (9000) | IPv4 | 149.112.97.0 (after you renumber, schedule TBD) | 66:66:de:ad:be:ef |
Jumbo (9000) | IPv6 | 2001:504:16:1:0:6666:dead:beef | 66:66:de:ad:be:ef |
Blackhole announcements tend to be very specific (often /32 for IPv4 and /128 for IPv6) so it is important that as a peer you either accept full length prefixes, or accept full length prefixes when a blackhole next-hop IP address is set.
This same relaxing of restrictions is needed to allow next-hop to not match the peering session when next-hop matches one of the reserved blackhole IP addresses.
The SIX route servers also support blackholing in the form of RFC 7999. Specifically, when the BLACKHOLE community 65535:666 is set for a route, the route servers automatically set the appropriate next-hop for the relevant address family and peering VLAN. Per the RFC they also add the community NO_EXPORT prior to re-announcing routes to other route server users. Route server announcements can also be tailored to specific ASNs using the community mechanisms detailed on the route server page. The route servers use members' RPKI ROAs and IRR records to employ strict filtering of blackhole routes.
Additional information on blackholing can be found at: https://github.com/tking/BLACKHOLE-BGP-Community
Examples...
define BLACKHOLE = (65535, 666); protocol static possible_out { [...] route x.y.z.a/32 reject; } filter export { if proto = "possible_out" then { [...] if net = x.y.z.a/32 then { bgp_community.add(BLACKHOLE); accept; } } reject; } template bgp SIX_STD_RS { [...] export filter export; }
router bgp xyz network x.y.z.a/32 neighbor foo route-map BLACKHOLE out access-list blackhole-access-list permit x.y.z.a/32 route-map BLACKHOLE permit 10 match ip address blackhole-access-list set ip next-hop 206.81.81.0
Corrections, additional examples, and questions are welcome at info_a_t_seattleix.net.
*Extension operators: Blackhole (MAC ACL drop) 66:66:de:ad:be:ef at your edge with the member to participate in the SIX blackholing system.