BGP Blackholing, also known as RTBH (Remotely Triggered Black Hole), is a well-established technique in the DDoS mitigation playbook. It’s fast, effective, and uses your upstream providers’ infrastructure to stop attack traffic before it ever reaches your network.
But despite its power, RTBH is not always the right tool for the job.
In this post, we’ll explore when BGP blackholing is a smart response — and when it could cause more harm than good.
A Quick Recap: What is BGP Blackholing?
RTBH is a routing technique that drops all traffic destined for a specific IP address by directing it to a null route (Null0). From the attacker’s perspective, it’s as if the destination has vanished from the internet.
RTBH is often used in automated DDoS protection systems (like FastNetMon) to rapidly shut down attack traffic. It works by broadcasting a BGP route for the attacked IP with specific communities that instruct upstream routers to drop the traffic before it enters your network.
You can learn more in our complete guide on BGP Blackhole Automation for DDoS mitigation
When RTBH Is a Good Choice
- Volumetric DDoS attacks
If your network is under a massive Layer 3/4 flood (like UDP or SYN flood), blackholing an attacked IP can instantly remove the pressure from your infrastructure. - Attacks on non-critical services
If the attacked host is already offline or not essential, blackholing it may have minimal impact but prevent broader damage. - Protecting shared infrastructure
If an attack threatens shared links, routers, or services (like firewalls), blackholing a single target can protect everything else. - As an emergency triage measure
When response time is critical, RTBH can act as a quick mitigation while more advanced techniques (like BGP FlowSpec) are deployed. - As part of automated DDoS mitigation
Integrated with tools like FastNetMon, RTBH becomes a smart, fast, and hands-off way to control high-volume attacks.
When RTBH Is Not a Good Choice
- When the target is a critical service or customer
RTBH drops all traffic — good and bad. You’re essentially unplugging yourself from the internet. Not ideal if the attacked service is revenue-critical. - Application-layer (L7) attacks
If attackers are mimicking legitimate web traffic (HTTP floods, bot attacks), RTBH won’t help — it doesn’t inspect or filter by application logic. In these cases, scrubbing or WAFs are more effective. - Spoofed or distributed attacks across multiple targets
Blackholing one IP won’t solve a broader attack or one that’s constantly shifting between targets. - In multi-tenant environments or shared hosting
If multiple services or customers share an IP, RTBH can create unintended outages. - If misused or triggered too aggressively
Without clear thresholds and logic, RTBH can be used maliciously or mistakenly, causing self-inflicted downtime.
FastNetMon Makes RTBH Smarter
FastNetMon automates the entire RTBH workflow for fast and effective DDoS response:
- Real-time attack detection in under 5 seconds
- Configurable thresholds and automatic unblocking
- Integration with your BGP setup to trigger blackholing based on community values
- Custom actions, alerts, and notifications for full visibility
FastNetMon announces BGP routes for targeted IPs, which your routers can be configured to handle using predefined community-based policies — such as null routing at the edge or upstream.
Whether you want simple RTBH, or a more advanced setup with FlowSpec, scrubbing, or traffic analysis, FastNetMon helps you build a fast, flexible, and resilient DDoS defence strategy.
Learn more about FastNetMon’s RTBH automation
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.
For more information, visit https://fastnetmon.com