Step 1

Prior to the attack, select an address for the intended black hole next-hop. Configure the forwarding plane of each edge router so that packets forwarded to this next-hop are dropped:

  1. Create a black hole VLAN (Virtual LAN) with an IP address that is in the same subnet as the chosen black hole next-hop.
  2. Add an active port to the black hole VLAN (usually an unused port in the switch).
  3. Create a static FDB entry that maps a well-chosen, unused MAC address to the black hole VLAN and the active port added to that VLAN.
  4. Create a static ARP entry that maps the black hole next-hop to the above MAC address.
  5. Create an filter to deny packets that exit the blackhole VLAN.
    In the following example configuration, 192.168.2.0/24 is the subnet of the black hole VLAN, “BH_VLAN,” and 192.168.2.66 is the chosen black hole next-hop. The active port 6:9 is added as the egress port for “BH_VLAN.”
    create vlan BH_VLAN
    configure vlan BH_VLAN tag 666
    enable loopback-mode vlan BH_VLAN
    configure vlan BH_VLAN ipaddress 192.168.2.1 255.255.255.0
    enable ipforwarding vlan BH_VLAN
    disable igmp snooping vlan BH_VLAN
    disable igmp vlan BH_VLAN
    create fdb 00:02:03:04:05:06 vlan BH_VLAN port 6:9
    configure iparp add 192.168.2.66 vr VR-Default 00:02:03:04:05:06
    configure access-list BH_ACL vlan BH_VLAN egress
    

    When a packet arrives in the forwarding plane and looks up a route that has the above black hole next-hop as its next-hop, a subsequent ARP and FDB (forwarding database) look-up occurs that forwards the packet to exit the switch using the above black hole VLAN, “BH_VLAN,” and port “6:9.” The packet is dropped due to the deny action in the egress ACL filter.

    The following policy file discards any traffic that exits the black hole VLAN, “BH_VLAN.” Note that the match on “source-address 0.0.0.0/0” matches any egress packet ensuring that all packets exiting via the black hole VLAN are dropped:

    edit policy BH_ACL
    entry bh-acl {
    if {
    	source-address 0.0.0.0/0;
    } then {
    deny ;
    }
    }