Remotely-Triggered Black Hole (RTBH) routing is a kind of application of BGP as a security tool within a service provider network. RTBH is frequently deployed in the mitigation of DDoS attacks, particularly when incoming traffic needs to be blocked at the edge before it reaches its target.
The initial two steps in configuring RTBH are best completed prior to an attack.
The first involves null route preparation. A specially crafted BGP route is injected into the network, effectively compelling routers to drop all traffic with a specified next-hop – thereby generating a “black hole.” This route is added to all edge routers. Any IP address can be used for the black hole route.
The next step is route-map preparation. A route-map is generated, which redistributes specific tagged static routes into BGP with an altered next-hop value. This forces recursion to the static NullO route, which was implemented via the first step, once again forcing routers to drop any matching traffic.
Step 3, which should be launched once an attack is detected and a decision has been taken to block traffic, involves creating a static route for the victim address on the management router. A route cannot be advertised as having an invalid next-hop, so a tag value needs to be added in order to guarantee that the RTBH route-map redistributes the route into BGP with an altered next-hop. Once the victim route has been injected, verify that the edge routers are indeed dropping all traffic bound for the specified prefix. This renders the victim unreachable, and the DDoS attack is not then able to accomplish its goal. Furthermore, a system’s internal infrastructure has also been protected from the flood of unexpected traffic, giving security teams more time and space to better investigate and correctly mitigate the attack.
RTBH can enhance network security by both effectively mitigating DDoS and worm attacks, quarantining all traffic destined for the target and enforcing blacklist filtering. By running internal BGP at the access and aggregation points, and configuring a separate device in the network operations center to play the role of a trigger, RTBH is enabled. The trigger device also sends updates to the edge from the BGP, helping it decide what traffic to drop by forwarding to a null0 interface.
If the source address of the attack is known, it would be better to drop all traffic at the edge related to the source address, irrespective of the destination address, thereby permitting legitimate traffic to pass through and reach the target. Execution of source-based black hole filtering is contingent on Unicast Reverse Path Forwarding (URPF), most often loose mode URPF. Loose URPF checks the packet and forwards it if determines that there is a route entry for the source IP of the incoming packet in the router FIB. If the router does not have an FIB entry for the source IP address, or if it points to Null0, the Reverse Path Forwarding (RPF) check fails, and the packet is dropped,
If the service provider doesn’t have default routes at its network edges, black hole triggers can be regionalized by using a different next hop on the trigger router for different tags. The edge router will then black hole traffic to the specified destination, depending on whether it has a route to the next hop or not.
The problem with black-holing is that even though it protects the target and everyone else on the carrier infrastructure, it shuts down the victim thereby effectively rendering a denial-of-service.