Hurricane Electric

Customer Blackhole Community

This page documents how Hurricane Electric customers that are running BGP may use communities to blackhole traffic.

Prerequisites

  • You must be running BGP.
  • You must be a Hurricane Electric transit customer.
  • You must have customer blackholing enabled.
  • You must have send-communities enabled on your side of the bgp session.

    • Method

    Occasionally customers need to drop traffic before it reaches their network. Traditionally this would be handled by sending in email requesting a null route be added. After the attack went away a request would then need to be sent requesting the null route be removed. The inherent delays involving sending email to somebody else and having them manually make router configuration changes mean the changes are frequently not made as fast as would be preferred. Accordingly there is the need for something more automated that puts the customer in direct control.

    Hurricane Electric transit customers with customer blackholing enabled may tag prefixes they announce to Hurricane with the community 6939:666 to cause traffic destined for those prefixes to be blackholed on all Hurricane core routers. The prefixes that will be accepted for blackholing are limited to /24 to /32 prefixes within the customer's own address space.

    To have customer blackholing enabled send email to support@he.net stating your AS and the ip of the BGP session you wish to have enabled for customer blackholing. *

    Use

    1. Attack Starts
    2. Customer identifies ip or ip range under attack
    3. Customer static routes the ip or ip range to Null0 and adds an announcement of the corresponding prefix with a route map that tags it with 6939:666. 
      Cisco Configuration Example (where X.X.X.X is the ip being attacked):

conf t
ip route X.X.X.X 255.255.255.255 Null0
router bgp YourAS
network X.X.X.X mask 255.255.255.255 route-map blackhole
route-map blackhole permit 10
set community 6939:666
end
    4. Corresponding traffic is dropped as soon as it gets on Hurricane's network.
    Thanks goes to Chris Morrow for the configuration examples.

    * Blackhole communities may require specific configuation options in order to be utilized.