Distributed Denial of Service (DDoS) attacks aim to disrupt service provider operations by overwhelming networks with malicious traffic. Attackers can use several different strategies to consume resources, such as bandwidth, memory, or CPU resources of network equipment. The result blocks access to network resources from legitimate sources, such as real customers, or completely brings down server endpoints.
A BGP BlackHole is a routing technique proven to be an effective and affordable way to mitigate DDoS attacks and mitigate their effect. FastNetMon offers complete integration with RTBH (or remote-triggered blackhole) capabilities to augment your DDoS detection measures.
Would you like to keep your network safe?
Try FastNetMon Full Trial for FREE 1 month.
What is BGP BlackHole DDoS mitigation?
The high-level concept of using BGP Blackhole to detect and mitigate DDoS attacks is relatively straightforward. When a DDoS attack is detected on a router, traffic is redirected to null0 interface – the black hole in this case. Routing traffic to this null-route effectively drops it from the network, never to be seen again, much like the natural phenomenon it’s named after. BGP routing usually takes place on the /32 /128 level (hosts IPv4, Ipv6).
RTBH filtering is a specific approach that uses BGP routing protocol updates to manipulate route tables at the network edge to specifically drop illegitimate traffic before it enters the service provider network. You can use iBGP or announce BlackHole routes via a specific BGP community to redistribute or blackhole this traffic on the upstream ISP side.
BGP mitigation can also be implemented in a variety of forms. One is BGP diversion using a BGP announcement that indicates to all networks that traffic should be routed to the provider’s data centres or external scrubbing centres. From here, traffic can further be dispersed among other providers. The result is to dilute the malicious traffic beyond the point of effectiveness and move it to location specially built to resist attacks.
You might wonder why use BGP BlackHoling and not directly block the host of a DDoS attack? Experience has shown that attempting to stop the source of the attack doesn’t make sense. Why? Because in most cases, the attack comes from huge numbers of hosts. Also, attackers quite often keep changing the IP source of the attack using spoofing techniques. Constantly trying to catch up with a huge list of variable addresses is a waste of time.
Because traffic to the targeted network asset is being dropped, the machine is effectively “down” from an internal and external perspective. However, implementing BGP as part of your DDoS detection and mitigation stack still provides significant benefits:
Traditionally, launching a BGP BlackHole response requires manually detecting an incident, investigating it to determine it’s a DDoS attempt, and then SSH the remote trigger router or inform the ISP/network provider to start null-routing traffic, and finally notify them once again when the attack has ceased.
This approach falls short by adding to the time it takes to detect and respond to a DDoS attack. Not to mention the added stress on your SecOps – while under a DDoS attack, every second lost represents stolen opportunities that will directly affect your bottom line.
Luckily, Automating BGP can be achieved, and this is especially useful using RTBH filtering. BGP DDoS Automation automatically and remotely triggers mitigation actions whenever it detects traffic that deviates from established thresholds and internal policies.
Ways to Implement Automated BGP BlackHole for DDoS Detection
Based Inside of Your Network
This feature has the benefit of fast and flexible implementation that gives you total control of your DDoS detection and mitigation efforts. You will need to manually make the necessary router configuration changes to implement your BlackHole policies and define your null-routes. However, your ability to mitigate DDoS attacks will be limited by your network capacity.
Based on Your Internal Network in Conjunction with Your ISP
Any BGP implementation is only as effective as the speed and accuracy of your on-site DDoS protection solution. FastNetMon provides near instantaneous DDoS detection and can immediately launch a mitigation response. The first step of routing malicious traffic off your network resources is the most crucial part, and this is where FastNetMon excels. We also use several intelligent traffic analysis techniques with network-wide visibility to detect DDoS attempts with the highest accuracy.
Why FastNetMon for your BGP BlackHole
Here is why you should consider FastNetMon as your network security partner to detect and mitigate DDoS attacks using BGP BlackHole routing:
FastNetMon offers three configurations:
- BGP meeting connection with existing routers in your network.
- Direct BGP peering connection with upstream providers (optional via a dedicated BlackHole session).
- A hybrid implementation that includes simultaneous connections with upstream providers and existing routers in the network.
Lightning-fast DDoS detection from 2 seconds.
Fully-automated BGP solution with no human intervention required.
After detecting a DDoS attack, FastNetMon will inform your engineer team and provide all relevant data via your router as a BGP announcement (IPv4, IPv6). The router immediately notifies providers and kicks off the BlackHole chain.
It gives you full management of the BGP BlackHole with flexible traffic blocking capabilities to keep as much of your network up and running during an attack as possible.
FastNetMon’s goal is to help you maintain business operations and service provision, even during massive DDoS attacks. Keep unaffected routers and servers up and running while isolating and deflecting traffic from affected assets. For some businesses, the network IS the business, and we aim to minimise the potentially colossal impact these events can have on your bottom-line.
FastNetMon BGP BlackHole Automation feature supports
Each of your edge routers act as filters, ensuring business-as-usual for your core network systems. You need fast, efficient routers that support FlowSpeck and the capacity needed to absorb DDoS attacks.
Integration with Cloud DDoS Scrubbing Centre
Reduce the load of DDoS mitigation on your resources by redirecting traffic to a third-party scrubbing centre that will filter the malicious traffic. Find more about how it works here.
How much does FastNetMon cost?
FastNetMon's pricing starts at $115 (USD) per month with no hidden fees. Find our full pricing schedule here. You can also try the full access trail of FastNetMon's DDoS detection with BGP BlackHole capabilities for one whole month.