Remotely Triggered Black Hole (RTBH) filtering is a self-managed feature that enables you to block unnecessary traffic before it enters Equinix Internet Exchange (IX) protected network. RTBH protects you from Distributed Denial of Service (DDoS) attacks.
- Equinix provides Black Hole Host with IP address .240 (in APAC), or .253 (in AMER and EMEA) on the IX subnet with mac address 0050.56bb.bbbb.
All unicast traffic towards the Black Hole Host is denied at customer facing ports (by mac-address ACL).
For more information on the RTBH Host and other supported BGP communities, see RTBH Host information.
Distributed Denial of Service
Distributed Denial of Service (DDoS) attack causes disruption of services due to unnecessary inbound traffic in your port. RTBH filtering can help to free the port utilization from this unnecessary traffic.
To free the port utilization, the Equinix MLPE route server inserts a BGP route into the network that forces the routers to stop all traffic to the Black Hole Host with predefined IP and MAC addresses.
- Establish BGP peering to MLPE route servers through MLPE IX peering subnet. You can announce your prefix 126.96.36.199/24 to MLPE route servers.
- MLPE route servers re-announce your prefix to other peering participants.
The next hop to reach 188.8.131.52/24 prefix is .100 which is your peering IP address.
- There is a DDoS attack traffic towards the server 184.108.40.206.
- Your port is flooded with inbound traffic causing service disruption to all production services.
Free the port utilization by stopping traffic to 220.127.116.11.
To mitigate the risk of DDoS attacks, RTBH involves the following stages:
- You announce 18.104.22.168/32 with Black Hole BGP community 65535:666.
MLPE route servers modify these prefix announcements (tagged with 65535:666) with next-hop to .240 (in APAC) or .253 (in AMER and EMEA), and re-announce the same prefix to other peering participants.
- Peering partners start to resolve next-hop IP address .240 (in APAC) or .253 (in AMER and EMEA) to reach 22.214.171.124.
Black Hole Host replies with an ARP with mac-address 0050.56bb.bbbb.
- The attack traffic with next-hop .240 (in APAC) or .253 (in AMER and EMEA) is stopped by Equinix IX switch inbound access list.
The DDoS attack going through your switch port is mitigated.