Remotely Triggered Black Hole (RTBH) filtering is a self-managed feature that enables you to block unnecessary traffic before it enters Equinix Internet Exchange (IX) protected network. RTBH protects you from Distributed Denial of Service (DDoS) attacks.
RTBH Services
- Equinix provides Black Hole Host with IP address .240 (in APAC), or .253 (in AMER and EMEA) on the IX subnet with mac address 0050.56bb.bbbb.
-
All unicast traffic towards the Black Hole Host is denied at customer facing ports (by mac-address ACL).
For more information on the RTBH Host and other supported BGP communities, see RTBH Host information.
FAQ
Is the RTBH feature available for bi-lateral peering?
Yes. For RTBH to take effect, the Black Hole announcement must be accepted by other peering partners. Peering participants can accept the prefixes with prefix length = 32 and BGP community 65535:666. Participation in the RTBH feature is optional.
Distributed Denial of Service
Distributed Denial of Service (DDoS) attack causes disruption of services due to unnecessary inbound traffic in your port. RTBH filtering can help to free the port utilization from this unnecessary traffic.
To free the port utilization, the Equinix MLPE route server inserts a BGP route into the network that forces the routers to stop all traffic to the Black Hole Host with predefined IP and MAC addresses.
Follow these steps before the DDoS attack begins
- Establish BGP peering to MLPE route servers through MLPE IX peering subnet. You can announce your prefix 1.1.1.0/24 to MLPE route servers.
- MLPE route servers re-announce your prefix to other peering participants.
-
The next hop to reach 1.1.1.0/24 prefix is .100 which is your peering IP address.
Follow these steps when the DDoS attack begins
- There is a DDoS attack traffic towards the server 1.1.1.1.
- Your port is flooded with inbound traffic causing service disruption to all production services.
-
Free the port utilization by stopping traffic to 1.1.1.1.
Mitigation Stages
To mitigate the risk of DDoS attacks, RTBH involves the following stages:
Mitigation Stage 1
- You announce 1.1.1.1/32 with Black Hole BGP community 65535:666.
-
MLPE route servers modify these prefix announcements (tagged with 65535:666) with next-hop to .240 (in APAC) or .253 (in AMER and EMEA), and re-announce the same prefix to other peering participants.
Mitigation Stage 2
- Peering partners start to resolve next-hop IP address .240 (in APAC) or .253 (in AMER and EMEA) to reach 1.1.1.1.
-
Black Hole Host replies with an ARP with mac-address 0050.56bb.bbbb.
Mitigation Success
- The attack traffic with next-hop .240 (in APAC) or .253 (in AMER and EMEA) is stopped by Equinix IX switch inbound access list.
-
The DDoS attack going through your switch port is mitigated.
