Selective blackholing - some measurements with RIPE Atlas
Six IPv4 addresses were bound to a loopback interface on a customer device,
each NLRI being injected into AS 5580 with a separate selective remote
triggered blackhole community to assess the effectiveness of the method.
Through the RIPE Atlas system towards each IP address a one-off measurement was
launched from 500 probes to see which probes could reach the selectively
blackholed prefix and which not.
My Conclusion: Selective blackholing does offer advantages in terms
of damage control, but the intended scopes have variable accuracy.
I believe that partial reachability is better than no reachability if
the infrastructure cannot cope with the DDoS volume. - Job Snijders
Prefixes were originated by a customer in Amsterdam, Netherlands
A note about how 'distance' is intended throughout this document:
The distance between AS 5580 network devices as calculated with a
haversine formula with the GPS coordinates of devices as input. The
haversine formula is an equation giving great-circle distances
between two points on a sphere from their longitudes and latitudes.
Actual length of datapath or optical paths is not taken into
consideration, nor is a peering partner's home country a factor.
Distance solely relates to distance between AS 5580 network devices.
5580:663 - outside 1000 kilometer radius: discard traffic (194.33.96.63/32)
5580:663 effect:
5580:663 visualised (Atlas data)
This community is designed based on the theory that most prefixes
(and content) have a geopgrahical significance which decreases as
distance between the sender and receiver of traffic increases. Most
often big DDoS attacks are sourced world-wide, but most legitimate
visitors come from within a certain radius. In other words: a Dutch
shop owner's website, will expect visitors mostly from the
Netherlands.
Conventional blackhole communities such as 5580:666 will trigger a
discard mechanism network-wide, discarding any and all packets
everywhere, but in context of the above described phenomenon one
might consider the conventional :666 comunity a shotgun approach.
For some it might be a wiser choice in certain scenarios to consider
a trade-off: increasing the chance that legitimate sources can
access the content, but accepting that some DDoS traffic will get
through. To enable customers to make such trade-offs a variarity of
selective blackhole communities exist. Depending on the type of
attack, the bandwidth a customer has available and the significance
of the target one can make a choice.
When a target is under attack one could try the various selective
backhole communities until operations are no longer at risk before
deciding to trigger a network-wide discard with 5580:666.
From route collector in Amsterdam:
[ams1 14:37:51 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 80.94.64.39
BGP.local_pref: 650
BGP.community: (5580,663) (5580,26220) (65535,65281) (65123,203) (65123,10038) (65123,2001) (65123,2002) (65123,2005) (65123,2004)
5580:663 - action: selective discard: only further than 1000km_radius_from_origin /* set by customer */
5580:26220 - info: route learned from_transit_customer in amsterdam north europe /* set by 5580 */
65535:65281 - action: no_export to ebgp /* set by 5580 */
65123:203 - internal community: scoped target: czech republic /* automatically calculated and set by AS5580 */
65123:10038 - internal community: scoped target: specific city: wenen /* automatically calculated and set by AS5580 */
65123:2001 - internal community: scoped target: north_west region in europe /* automatically calculated and set by AS5580 */
65123:2002 - internal community: scoped target: north region in europe /* automatically calculated and set by AS5580 */
65123:2005 - internal community: scoped target: central region in europe /* automatically calculated and set by AS5580 */
65123:2004 - internal community: scoped target: west region in europe /* automatically calculated and set by AS5580 */
BGP.originator_id: 80.94.64.39
BGP.cluster_list: 80.94.64.3
5580:664 - outside this country: discard traffic (194.33.96.64/32)
5580:664 effect:
 5580:664 visualised (Atlas data) |
 Zoomed version Measured from 380 probes in NL 5580:664 visualised (Atlas data) |
wide or very narrow scope to apply the selective blackhole.
As can be seen in the 'zoomed' version, the accuracy of this example turned out to be explicitly good
From route collector in Amsterdam:
[ams1 14:37:51 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 80.94.64.39
BGP.local_pref: 650
BGP.community: (5580,664) (5580,26220) (65535,65281) (65123,528)
5580:664 - action: selective discard: only outside country_of_origin /* set by customer */
5580:26220 - info: route learned from_transit_customer in amsterdam north europe
65535:65281 - action: no_export to ebgp
65123:528 - internal community: scoped target: netherlands
5580:662 - outside 2500 kilometer radius: discard traffic (194.33.96.62/32)
5580:662 effect:
5580:662 visualised (Atlas data)
In terms of purpose it mimicks the 5580:663 community, except a
radius of 2500 kilometer around the POP of origin applies. Outside
this 2500 km radius traffic is discarded.
From route collector in Amsterdam:
[ams1 14:37:51 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 80.94.64.39
BGP.local_pref: 650
BGP.community: (5580,662) (5580,26220) (65535,65281) (65123,203) (65123,2001) (65123,2003) (65123,2002) (65123,2005) (65123,2004) (65123,2008) (65123,348)
5580:662 - action: selective discard: only further than 2500km_radius_from_origin /* set by customer */
5580:26220 - info: route learned from_transit_customer in amsterdam north europe /* set by 5580 */
65535:65281 - action: no_export to ebgp /* set by 5580 */
65123:203 - internal community: scoped target: czech republic /* automatically calculated and set by AS5580 */
65123:2001 - internal community: scoped target: north_west region in europe /* automatically calculated and set by AS5580 */
65123:2003 - internal community: scoped target: north_east region in europe /* automatically calculated and set by AS5580 */
65123:2002 - internal community: scoped target: north region in europe /* automatically calculated and set by AS5580 */
65123:2005 - internal community: scoped target: central region in europe /* automatically calculated and set by AS5580 */
65123:2004 - internal community: scoped target: west region in europe /* automatically calculated and set by AS5580 */
65123:2008 - internal community: scoped target: south region in europe /* automatically calculated and set by AS5580 */
65123:348 - internal community: scoped target: hungary /* automatically calculated and set by AS5580 */
BGP.originator_id: 80.94.64.39
BGP.cluster_list: 80.94.64.3
5580:660 - outside this continent: discard traffic (194.33.96.60/32)
5580:660 effect:
5580:660 in Amsterdam visualised (Atlas data)
From route collector in Amsterdam:
[ams1 14:37:51 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 80.94.64.39
BGP.local_pref: 650
BGP.community: (5580,660) (5580,26220) (65535,65281) (65123,2000)
5580:660 - action: selective discard: only outside continent_of_origin /* set by customer */
5580:26220 - info: route learned from_transit_customer in amsterdam north europe
65535:65281 - action: no_export to ebgp
65123:2000 - internal community: scoped target: europe
BGP.originator_id: 80.94.64.39
BGP.cluster_list: 80.94.64.3
5580:661 - outside this region: discard traffic (194.33.96.61/32)
5580:661 effect:
5580:661 visualised (Atlas data)
From route collector in Amsterdam:
[ams1 14:37:51 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 80.94.64.39
BGP.local_pref: 650
BGP.community: (5580,661) (5580,26220) (65535,65281) (65123,2002)
5580:661 - action: selective discard: only outside region_of_origin /* set by customer */
5580:26220 - info: route learned from_transit_customer in amsterdam north europe
65535:65281 - action: no_export to ebgp
65123:2002 - internal community: scoped target: north region in europe
BGP.originator_id: 80.94.64.39
BGP.cluster_list: 80.94.64.3
5580:665 - outside this metro: discard traffic (194.33.96.65/32)
5580:665 effect:
5580:665 visualised (Atlas data)
From route collector in Amsterdam:
[ams1 14:37:51 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 80.94.64.39
BGP.local_pref: 650
BGP.community: (5580,665) (5580,26220) (65535,65281) (65123,10020)
5580:665 - action: selective discard: only outside metro_of_origin /* set by customer */
5580:26220 - info: route learned from_transit_customer in amsterdam north europe
65535:65281 - action: no_export to ebgp
65123:10020 - internal community: scoped target: specific city: amsterdam
5580:666 - discard traffic everywhere (regular blackhole) (194.33.96.66/32)
5580:666 effect:
(unsurprisingly)
5580:666 visualised (Atlas data)
From route collector in Amsterdam:
[ams1 14:25:23 from 78.152.62.241] * (100/-) [AS15562i]
Type: BGP unicast univ
BGP.origin: IGP
BGP.as_path: 15562
BGP.next_hop: 10.0.0.1
BGP.med: 0
BGP.local_pref: 1000000
BGP.community: (5580,666) (65535,65281) (65535,65283)
5580:666 - action: atrato:blackhole:everywhere /* set by customer */
65535:65281 - action: no_export to ebgp
65535:65283 - action: rfc1997 no_export
BGP.originator_id: 80.94.64.39
BGP.cluster_list: 80.94.64.3