UAE-IX Blackholing Guide
Blackholing is typically used to fight massive DDoS attacks which congest the physical connection between UAE-IX and a customer router. A detailed description of how Blackholing works at UAE-IX is available here.
Besides signaling a blackhole via direct peering, you can signal blackholes via the route servers at UAE-IX.
Blackholing via direct peering
You have to set the corresponding next-hop manually (please see table below) when signaling a blackhole on a direct peering session. Please also ask you peers to accept up to /32 for IPv4 and up to /128 for IPv6 from you, for allowing the service to work correctly.
Blackholing via the Route Servers
If you want to blackhole a certain IP prefix by using the conventional or Blackholing route servers, there are two ways of achieving this:
- The BGP announcement carrying the IP prefix that should be blackholed is marked with the BLACKHOLE BGP Community (65535:666). This is the recommended way as it makes the handling a lot easier.
- The BGP announcement carrying the IP prefix that should be blackholed contains as next-hop a pre-defined blackhole IP address. The table below lists the IPv4 and IPv6 blackhole IP addresses for UAE-IX and interconnected IXPs:
|IXP||Blackhole Next-Hop IP address IPv4||Blackhole Next-Hop IP address IPv6||BGP BLACKHOLE Community|
Please do not set the NO-EXPORT or NO-ADVERTISE Community on the BGP announcements marked as blackhole as this tells the route servers to not re-distribute this announcement. The route servers will add NO-EXPORT automatically.
Configuration examples of how to setup a BGP session to the Blackholing route server can be found in the UAE-IX Route Server Guide.