Arvig® Automated RTBH

OVERVIEW: This document describes the Arvig implementation process of Automated Remote-Triggered Black Hole (RTBH) configuration, troubleshooting and verifications. Automated RTBH is a method used to block unwanted traffic from a specific host address destination, by directing traffic to a Null0 interface. The Black Hole routing mitigates the Denial of Service (DoS) attack but will also drop all legitimate traffic destined for the host address.

Arvig’s Automated RTBH allows customers to remain hands off during a DoS event. Each customer will have their own managed object setup and each managed object will have the customer allowed prefixes listed. The managed object is set up with a host detection profile that defines the thresholds for each attack type. When a threshold is reached for an attack type, Arvig’s Automated RTBH will elevate an alert to high, for the prefix being attacked. At that point, Arvig’s Automated RTBH will advertise a host prefix with the Arvig RTBH community and distribute to all border routers. Arvig border routers will then Black Hole traffic destined to the prefix being attacked. The Black Hole route will persist until the attack ends.

REQUIREMENTS:

  • Customer must have an active business internet connection with Arvig
  • Customer should contact their Arvig account representative to initiate Automated RTBH
  • Only customers registered prefixes are allowed

EXCLUSIONS:

  • Black Hole mitigation will disrupt all traffic to the host (IPv4 /32, IPv6 /128) prefix
  • Arvig will not forward RTBH prefixes to Arvig Transit or IXP neighbors, the prefix will be published to all Arvig border routers only

PROCESS: Once Arvig’s Automated RTBH identifies a DoS attack and the level of the attack is elevated to a high status Arvig’s Automated RTBH will send the host prefix with the Arvig RTBH community. Arvig’s neighbor router will install the prefix attribute by setting the next-hop address to either 192.0.2.1/32 for IPv4 or 100::1/128 for IPv6. All packets forwarded to the next-hop address of 192.0.2.1/32 or 100::1/128 will be directed to the Null0 interface. All traffic to Null0 will be dropped and all of Arvig’s border routers will be updated with the appropriate Null0 route for the customer prefix.

Once the attack ends, Arvig’s Automated RTBH will retract the BGP advertisement of the host prefix, and the Null0 route will be removed from all border routers as fast as BGP updates occur.