Stopping DDoS at an Internet Exchange

A network suffering from a DDoS attack can trigger a blackhole route to the attacked IP and save their network. When other networks see this null route, they no longer know where to send the data for that particular IP address. All of that data is simply dropped (into a black hole!) by their routers. This also completes the attack on the targeted IP address, causing it to be unreachable.

For such an important network-saving practice, you would think that all networks trigger these blackhole routes in a standard way. This is actually not the case just yet. Our friends at DE-CIX gave a talk about this very topic at the recent North American Network Operators Group in San Francisco. They have also proposed an internet draft for blackholing at internet exchange points such as theirs. A proposal such as this begins the necessary conversation between network operators with the intent on reaching a standardized best practice. The initial proposal may go through many changes after receiving comments and criticism. A somewhat similar proposal was made back in 1996 by engineers at Cisco, calling for the implementation of a “no export” route.

Network operators currently use different mechanisms to implement black hole signaling between routers. That means each time a network joins a new exchange point such as DE-CIX, they must investigate how the group has decided to signal null routes. For example, to trigger a null route on their exchange, a network’s router should signal the next-hop through bgp with a specific IP address. Other exchange point practices include tagging routes with a pre-chosen bgp community.

We’ll be watching the progress of this draft closely. As the Staminus infrastructure continues to grow, we look forward to arriving at many new exchange points to interconnect our network with many others as we do with DE-CIX. These peering exchanges thrive on mutual agreement, defined standards, and best practices. Discussing an internet standard for something this important just makes sense.

Leave a Reply

Your email address will not be published. Required fields are marked *