Supported by the GlobalNOC at Indiana University

BGP Blackhole Users Guide

The PennREN network implements several BGP communities to allow for traffic engineering by members without requiring the intervention from the PennREN NOC or engineering staff. 

During incidents of network distress, e.g. traffic floods saturating upstream links due to denial of service attacks, a member may desire to signal the upstream routers within PennREN to discard this traffic before it reaches a downstream member.

The community 14877:666 can be added to routes which will signal PennREN routers to discard traffic upon ingress into any of PennREN’s routers.  The only limitation to the use of this community is that the prefix in which the blackhole community is applied to must already be permitted by current ingress prefix filters applied to their BGP session. Any prefix length is supported currently.  Up to /32 for IPv4 and /128 for IPv6. 

Demonstration

A KINBER member is announcing 162.223.17.0/24

 

show route 162.223.17.0/24 

162.223.17.0/24    *[BGP/170] 01:49:40, localpref 140

                      AS path: 65420 I

                    > to 162.223.18.254 via ae0.880

 

The same KINBER member is suddenly subjected to a denial of service attack wherein the host using IP address 162.223.17.50 is receiving several Gbps per second of traffic which congests the member’s network.

A decision is made by the member to blackhole traffic upstream for packets destined to 162.223.17.50.  The KINBER member then announces 162.223.17.50/32 with the blackhole community 14877:666 attached to the route.

 

show route 162.223.17.0/24

162.223.17.0/24    *[BGP/170] 03:47:16, localpref 140

                      AS path: 65420 I

                    > to 162.223.18.254 via ae0.880

162.223.17.50/32   *[BGP/170] 01:14:23, localpref 140, from 162.223.18.254

                      AS path: 65420 I

                     to Discard

 

show route 162.223.17.50/32 detail

162.223.17.48/29 (1 entry, 1 announced)

        *BGP    Preference: 170/-141

                Source: 162.223.18.254

                Next hop type: Discard

                State: <Active Ext>

                Local AS: 14877 Peer AS: 65420

                AS path: 65420 I

                Communities: 14877:666

                Accepted

 

Any prefix received from a member that has the blackhole community of 14877:666 attached will signal the PennREN routers to discard traffic destined for the advertised prefix before congestion of the member’s network can occur.  Multiple prefixes can be advertised to PennREN with the blackhole community. 

Your request has been completed.