Remotely Triggered Black Hole (RTBH) is best explained as “blocking undesirable data traffic at the edge of a network (based on either source or destination IP addresses) before it reaches the network”. In effect, this means that all traffic towards a specific destination is rerouted to a null IP address – essentially a “black hole” in network terms - and dropped there. RTBH is a protocol-based tool which is generally used by network service providers to avoid or mitigate DDoS attacks and improve network security overall.
Critically, RTBH is implemented outside the network where the offending address(es) reside. This could be initiated from a customer network towards a service provider, for example.
This technology has been widely adopted in the industry for some time now. The main characteristic of any blackholing - remotely triggered or not, is that it stops all malicious traffic by rewriting the prefixes and redirecting them into a “black hole”. One of the more common methods is where a centralized device controlled by the NOC propagates RTBH with the Internal Border Gateway Protocol (iBGP). This reduces the configuration overhead on individual edge devices and allows networks to be secured rapidly via BGP.
Downstream customer of a network service provider can also send blackholing requests using the Border Gateway Protocol (BGP). This is facilitated with a community string – additional information that is “bolted-on” to a route advertisement. This is then used by a provider to stop traffic entering a customer’s network.
Security – RTBH is a highly effective way for customers to block malicious traffic, like in a DDoS attack and damage can be mitigated at an early stage. For example, if non-legitimate traffic is coming from a specific route, or if the routes themselves need to be blocked, we can blackhole them either at the edge of the customer’s network or the edge of ours and eliminate the problem quickly and effectively.
Self-service – since RTBH can be triggered by a community advertisement, customers can initiate blackholing themselves in the event of an attack, without contacting a NOC and thereby saving valuable time.
Reliability – Customer-triggered blackholing is not without risk. However, Arelion has developed a detection mechanism that allows the validation of these requests - both against centralized RPKI databases and by internal route analysis, to avoid unintentional mistakes and route hijacks.
Transparency – the power to blackhole traffic is placed in the customers hands, allowing them to manage network attacks as and when they see fit.
Although RTBH is automated and therefore faster to implement than other DDoS mitigation techniques, it is a fairly blunt instrument, just like all other black-holing methods. Traffic filtering is indiscriminate and all traffic to and from blackholed IP addresses will be dropped, even if it is legitimate.
Operating the world’s #1 IP backbone, with 350+ PoPs globally, gives us the scale to absorb a DDoS attack more easily than smaller networks. When a customer blackholes an attack, the remainder of Arelion’s network preserves their network integrity by cushioning the impact with our high-capacity global network infrastructure and robust peering agreements.
An industry leading NPS score, fast delivery and full-service visibility through the MyArelion portal are all unique benefits of the Arelion experience and we are fully resourced to act resolutely and quickly if an attack escalates beyond a customer’s ability to contain it. Our highly skilled and dedicated customer service team is always on hand to provide assistance when needed. More than 90% of our customer support engineers have university education in technology (33% have double degrees) and we have sustained 20% YoY NPS (customer satisfaction) growth over the past decade.
As a pioneer of global Internet route validation with our RPKI adoption, you can rest assured that we have the expertise to provide an industry-leading and dependable blackholing service.
