BGP Blackholing
BGP Blackholing
Border Gateway Protocol (BGP) Blackholing allows Public Peering participants to request TurkIX to block traffic directed to a specific prefix (IP address or network). This is achieved by sending a BGP4 announcement through pre-existing sessions with the Route Servers (RS).
BGP Blackholing is an effective solution for mitigating large-scale DDoS attacks that overwhelm member networks and disrupt their regular operations.
By discarding packets destined for a blackholed host or network within the TurkIX infrastructure, the affected member's network is relieved of excess traffic. This ensures that unaffected and unblocked resources can continue to operate normally.
BGP Blackholing is an effective solution for mitigating large-scale DDoS attacks that overwhelm member networks and disrupt their regular operations.
By discarding packets destined for a blackholed host or network within the TurkIX infrastructure, the affected member's network is relieved of excess traffic. This ensures that unaffected and unblocked resources can continue to operate normally.
Implementation
BGP Blackholing operates at the packet forwarding layer, enabling it to function seamlessly whether members connect through Route Servers or establish private BGP sessions.
The blocking is applied outbound to the port(s) of the member issuing the BGP Blackholing announcement. This design ensures that an erroneous announcement by one member cannot inadvertently block traffic destined for another member, even if the announcement is deemed valid according to RIR or RPKI policies.
This mechanism only impacts Public Peering traffic and does not interfere with P2P Private VLANs or other services.
There is no strict limit on the number of BGP Blackholing announcements the Route Servers can accept; they are treated like standard announcements. However, a large number of such announcements is discouraged, as it could lead to reaching the max-prefix limit set on Route Servers, potentially causing BGP sessions to drop.
The blocking is applied outbound to the port(s) of the member issuing the BGP Blackholing announcement. This design ensures that an erroneous announcement by one member cannot inadvertently block traffic destined for another member, even if the announcement is deemed valid according to RIR or RPKI policies.
This mechanism only impacts Public Peering traffic and does not interfere with P2P Private VLANs or other services.
There is no strict limit on the number of BGP Blackholing announcements the Route Servers can accept; they are treated like standard announcements. However, a large number of such announcements is discouraged, as it could lead to reaching the max-prefix limit set on Route Servers, potentially causing BGP sessions to drop.
Blackholing announcements are not redistributed to other members, providing several advantages:
The functionality of BGP Blackholing remains unaffected by whether other members accept IPv4 prefixes smaller than /24, which are typically not permitted.
These announcements do not add to the number of prefixes received by members, reducing the risk of hitting max-prefix limits that could otherwise terminate their BGP sessions.
The functionality of BGP Blackholing remains unaffected by whether other members accept IPv4 prefixes smaller than /24, which are typically not permitted.
These announcements do not add to the number of prefixes received by members, reducing the risk of hitting max-prefix limits that could otherwise terminate their BGP sessions.
Activation:
To block traffic to a prefix, you must mark it with BGP Community 65535:666, and the prefix length restrictions are:- IPv4: /25 and greater (up to /32);
- IPv6: /49 and greater (up to /128).
An announcement to only one Route Server is sufficient, as announcements that do not meet the above conditions will be ignored.
Copyright TurkIX © 2024 7DC INTERNET LTD.