Remote Triggered Black Hole Filtering (RTBH)

Anti-DDoS Support on MMIX Route Servers

BGP Community to apply RTBH

BGP Community Next Hop Address Peering
9654:66 103.116.194.66 Yangon IXP
9333:66 103.116.193.66 Mandalay IXP

Anti-DDoS Support on MMIX Route Servers

MMIX provides Remote Triggered Black Hole Filtering (RTBH) to help mitigate DDoS attacks.

Remote Triggered Black Hole Filtering (RTBH)

MMIX Supports RTBH for announcement of black-hole filtering. In order to facilitate better routing management for routes being advertised via MMIX Route Servers, we highly recommend all members to make use of BGP community tagging when they announce/receive BGP routes to/from the MMIX route servers.

  • Trigger member routers to discard (null) route for a specific address.
  • MMIX route servers will ONLY accept /32s with BGP community tagged for MMIX filtering and forward the network prefixes to member routers.
  • The next-hop address used for destination based RTBH filtering. MMIX members should configure their routers to discard the traffic or point to a "null" interface if they received the route with related RTBH community and next hop address.

RTBH Config Guideline for MMIX members

Configure to trigger RTBH

ip prefix-list PRF-RTBH permit x.x.x.x/32 ! !Configure outbound route-map for MMIX RS1 and RS2 route-map RM-MMIX-OUT permit 10 match ip address prefix-list PRF-RTBH set community 9654:66 additive route-map RM-MMIX-OUT permit 100

Note

For Mandalay peering, use community 9333:66 instead of 9654:66 in the route-map configuration.

Activation RTBH Route

#Activiation RTBH Route ip prefix-list PRF-MMIX-HOST permit 0.0.0.0/0 ge 32 ! !Community list for MMIX RTBH ip community-list standard CM-MMIX-RTBH seq 5 permit 9654:66 !Inbound route-map for MMIX route servers route-map RM-MMIX-IN permit 10 match ip address prefix-list PRF-MMIX-HOST match community CM-MMIX-RTBH route-map RM-MMIX-IN permit 10000 ! !Configure a static null route for reserved 103.116.194.66 ip route 103.116.194.66 255.255.255.255 null 0 !Stop retransmission interface Null0 no ip unreachables

How to verify the configuration:

  1. Go to MMIX Looking Glass
  2. Select Route Server and Enter your profile by clicking Short Name under "Description" row.
  3. If your configuration working well, you can see x.x.x.x/32 prefix with 9xxx:66 community valute in routing table.

Need Help with Configuration?

Our technical team is ready to assist you with implementing these configurations.

Contact Technical Support
0%