NETS header NETS Homepage UCAR Homepage NCAR Homepage SCD Homepage NETS Homepage About NETS Work requests & support
  Browse NETS topics: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Blackholing DDos attacks
When a Denial of Service attack is in progress against an FGRP member, we sometimes want to "black hole" the inbound packets at the FRGP router, so the packets get dropped before they consume bandwidth on the pipe that connects the member to the FRGP. Even better, we want to ask our ISPs to blackhole the packets so they get dropped before they consume bandwidth on the pipe that connects each ISP to the ISP. This web page contains notes about how to ask our ISPs to blackhole packets destined for a given IP address.

General

With each of the three providers (WilTel, Level3, AT&T) its a manual process. With AT&T its done with e-mail. WilTel might take an e-mail, too, but with Level3 it requires a phone call. Savvis, just before we dropped them, advertised the capability to let us automagically blackhole routes using a BGP community string of, interestingly, 666. None of our current providers can do that, although WilTel says they'll have it by the end of the year.

AT&T will automatically lift the null route in 7 days, so we'll check our filter counters then and probably lift the other nulls a few days later when we observe no filtered packets.

AT&T

To: rm-awmis@ems.att.com
Subject: AT&T, please blackhole these two IP addresses

Hey rm-awmis,

Our circuit ID is AGEC.960052.ATI and our site ID is 50400.

Please blackhole the IP addresses 156.108.236.2 and 156.108.164.238. I understand you'll blackhole them for seven days - that's great.

--Scot

Level 3

Subject: Level3 blackholing - ticket # 1055287.
From: Scot Colburn
Date: 22 Sep 2004 11:02:42 -0600
To: "frgp-eng@ucar.edu"

Called 1-877-453-8353x2x1. Don't do that.
Had to hold, got bored, called: 1-877-653-8353x2x19508 (that's our PIN)

Talked to Ehab. Told him I was with UCAR.
Gave two addresses: 156.108.236.2 and 156.108.Subject: 164.238
Gave our peering IP address: 209.245.20.26
Ehab will call me back in half an hour with my ticket number.
He doesn't know if there's a BGP blackhole attribute, but he'll check for the easiest way to do this.

10:52 - Ehab called back with a ticket # 1055287

-- Scot

Wiltel

Subject: Wiltel, Please blackhole these two addresses
From: Scot Colburn
Date: 22 Sep 2004 10:25:54 -0600
To: iptier1@wiltel.com

Subject: Please blackhole 156.108.236.2 and 156.108.164.238.

Our Circuit ID is TWC02133024.

Thanks,
Scot Colburn

Address comments or questions about this Web page to the Network Engineering & Telecommunications Section (NETS) at nets-www@ncar.ucar.edu. The NETS is part of the Computational & Information Systems Laboratory (CISL) of the National Center for Atmospheric Research (NCAR), which is sponsored by the National Science Foundation (NSF) and managed by the University Corporation for Atmospheric Research (UCAR). This website follows the UCAR General Privacy Policy and the NCAR/UCAR/UCP Terms of Use.