Automated traffic dropping to protect network stability
BGP Blackhole mitigation—often referred to as RTBH (Remote Triggered Black Hole)—is a routing-based technique used to protect networks during large-scale DDoS attacks by deliberately dropping traffic to a targeted destination. While this approach sacrifices availability for the affected host or prefix, it prevents attack traffic from overwhelming shared infrastructure and impacting the wider network.
FastNetMon automates BGP Blackhole mitigation as part of a controlled, operator-defined DDoS response strategy. Detection, decision-making, and execution are handled automatically, without requiring manual intervention during an active attack.
What BGP Blackhole mitigation does—and when it’s used
In a BGP Blackhole scenario, traffic destined for an attacked host or prefix is routed to a null interface, effectively dropping all packets before they consume bandwidth or router resources. This technique is typically applied at the /32 (IPv4) or /128 (IPv6) level, though larger prefixes may be used depending on routing policy.
BGP Blackholing is not intended to preserve service availability for the affected destination. Instead, it is used when the priority is protecting the rest of the network—particularly in situations where attack volume is high enough to threaten shared links, routing infrastructure, or upstream capacity.
This makes RTBH especially valuable for service providers, ISPs, and large networks where isolating a single customer or service is preferable to risking widespread disruption.
Why blackholing focuses on the destination, not the source
In most DDoS scenarios, attempting to block individual attack sources is ineffective. Attacks are commonly distributed across large botnets, frequently involve spoofed source addresses, and change rapidly over time.
BGP Blackhole mitigation avoids this problem by focusing on the attack target instead of chasing individual sources. By dropping traffic to the destination, the network is immediately protected from the aggregate impact of the attack—regardless of how many sources are involved.
How FastNetMon automates RTBH
FastNetMon continuously monitors live network traffic and detects DDoS attacks in near real time using operator-defined thresholds. When an attack is identified and meets the criteria for blackholing, FastNetMon automatically initiates RTBH according to predefined rules.
This typically involves:
- Announcing a blackhole route via BGP
- Applying the appropriate BGP community or next-hop
- Propagating the announcement to internal routers, upstream providers, or both
FastNetMon supports both internal RTBH, where traffic is dropped within your own network, and upstream RTBH, where blackholing occurs at the provider edge to protect core infrastructure and transit links.
Once the attack subsides, FastNetMon can automatically withdraw the blackhole route, restoring normal traffic without manual cleanup.
Full black hole mitigation lifecycle
FastNetMon supports the complete RTBH lifecycle:
- Detection – Identify attack traffic in near real time
- Decision – Evaluate operator-defined thresholds and policies
- Announcement – Inject blackhole routes via BGP
- Withdrawal – Remove routes when the attack ends
This lifecycle ensures blackholing is applied deliberately, temporarily, and consistently.
RTBH and Flow Spec: different tools for different situations
BGP Blackhole and BGP Flow Spec serve distinct roles in a layered DDoS defence strategy.
Flow Spec is designed to filter specific malicious traffic patterns while preserving legitimate flows. BGP Blackhole, by contrast, drops all traffic to the affected destination and is typically used when attack volume exceeds what selective filtering can safely handle.
In practice, many operators use Flow Spec first and escalate to RTBH only if necessary. FastNetMon supports both approaches and allows engineers to define escalation logic explicitly, based on traffic volume, duration, or other operational criteria.
Flexible deployment options
FastNetMon supports multiple RTBH deployment models, including:
- Blackholing within your own network using iBGP
- Blackholing via upstream providers using agreed BGP communities
- Hybrid models combining internal and upstream enforcement
These options allow operators to choose where traffic is dropped—at the edge, upstream, or both—based on capacity, topology, and commercial agreements.
Designed to protect the rest of the network
The purpose of RTBH is not to keep the attacked host online, but to preserve the stability of the network as a whole. By isolating attack traffic quickly and automatically, FastNetMon helps ensure that unaffected customers, services, and infrastructure continue to operate normally.
For networks where uptime and predictability matter, automated blackholing provides a critical safety valve during extreme attack conditions.
Part of a broader DDoS mitigation stack
BGP Blackhole automation with FastNetMon integrates seamlessly with the platform’s other capabilities, including real-time DDoS detection, BGP Flow Spec mitigation, scrubbing centre diversion, blocklist-based filtering, and API-driven integrations with external systems.
This allows operators to build layered, deterministic DDoS defence strategies tailored to their own networks and operational practices.