BGP Speaker Black Hole Example

Black hole routing is used to protect a service provider‘s internal network from distributed denial of service (DDoS) attacks. The strategy is to drop inbound DDoS attack traffic destined to a target network at the edge of the provider network as soon as the target is identified.

Since the attack traffic may enter the service provider network from any of its edge routers, it is not feasible to manually configure a static black hole route entry on each edge router. The problem is further complicated by the fact that the target network, and the need to block traffic to it, is dynamic. Also, the service provider may serve multiple customers and you don‘t want to drop traffic to a customer network until it is identified as a target for an ongoing attack.

Instead, a service provider can use BGP to distribute a black hole route (route entry for the target network with a black hole next-hop) from a single router to all its edge BGP speakers that will then drop traffic destined to the victim‘s network right at the provider edge. The following figure shows an example topology to achieve this.
expand icon
Black Hole Routing Using BGP
../Graphics/EX_bgp_0006_blackhole.svg