Remotely Triggered Black Hole
Remotely Triggered Black Hole (RTBH) filtering is a self-managed feature that enables you to block unnecessary traffic before it enters Equinix Internet ExchangeEquinix Internet Exchange enables customers to exchange internet traffic through public peering. (IX) protected network. RTBH protects you from Distributed Denial of Service (DDoS) attacks.
- Equinix provides Black Hole Host with IP address .240 (in APAC), or .253 (in AMER and EMEA) on the IX subnet with mac address 0050.56bb.bbbb.
All unicast traffic towards the Black Hole Host is denied at customer facing ports (by mac-address ACL).
For more information on the RTBH Host and other supported BGPBorder Gateway Protocol. A standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems on the internet. communities, see RTBH Host information.
Distributed Denial of Service
Distributed Denial of Service (DDoS) attack causes disruption of services due to unnecessary inbound traffic in your port. RTBH filtering can help to free the port utilization from this unnecessary traffic.
To free the port utilization, the Equinix MLPE route server inserts a BGP route into the network that forces the routers to stop all traffic to the Black Hole Host with predefined IP and MAC addresses.
- Establish BGP peering to MLPE route servers through MLPE IX peering subnet. You can announce your prefix 18.104.22.168/24 to MLPE route servers.
- MLPE route servers re-announce your prefix to other peering participants.
The next hop to reach 22.214.171.124/24 prefix is .100 which is your peering IP address.
- There is a DDoS attack traffic towards the server 126.96.36.199.
- Your port is flooded with inbound traffic causing service disruption to all production services.
Free the port utilization by stopping traffic to 188.8.131.52.
To mitigate the risk of DDoS attacks, RTBH involves the following stages:
- You announce 184.108.40.206/32 with Black Hole BGP community 65535:666.
MLPE route servers modify these prefix announcements (tagged with 65535:666) with next-hop to .240 (in APAC) or .253 (in AMER and EMEA), and re-announce the same prefix to other peering participants.
- Peering partners start to resolve next-hop IP address .240 (in APAC) or .253 (in AMER and EMEA) to reach 220.127.116.11.
Black Hole Host replies with an ARP with mac-address 0050.56bb.bbbb.
- The attack traffic with next-hop .240 (in APAC) or .253 (in AMER and EMEA) is stopped by Equinix IX switch inbound access list.
The DDoS attack going through your switch port is mitigated.