RTBH Definition

Remotely Triggered Black Hole (RTBH) is best explained as “blocking undesirable data traffic at the edge of a network (based on either source or destination IP addresses) before it reaches the network”. In effect, this means that all traffic towards a specific destination is rerouted to a null IP address – essentially a “black hole” in network terms - and dropped there. RTBH is a protocol-based tool which is generally used by network service providers to avoid or mitigate DDoS attacks and improve network security overall. Critically, RTBH is implemented outside the network where the offending address(es) reside. This could be initiated from a customer network towards a service provider, for example.

Technology

This technology has been widely adopted in the industry for some time now. The main characteristic of any blackholing - remotely triggered or not, is that it stops all malicious traffic by rewriting the prefixes and redirecting them into a “black hole”. One of the more common methods is where a centralized device controlled by the NOC propagates RTBH with the Internal Border Gateway Protocol (iBGP). This reduces the configuration overhead on individual edge devices and allows networks to be secured rapidly via BGP.

Downstream customer of a network service provider can also send blackholing requests using the Border Gateway Protocol (BGP). This is facilitated with a community string – additional information that is “bolted-on” to a route advertisement. This is then used by a provider to stop traffic entering a customer’s network.

RTBH comes in two main flavors:

  • Destination-based RTBH where a trigger event (either a central device or a request from a customer or peer) propagates the blackhole through the network to the edge via BGP, based on a specific destination. In practice, this process involves multiple steps, starting by immediately dropping the offending traffic at the network edge. A list of black-holed destination addresses is then documented and once the threat subsides, the target addresses are bought back into service as soon as possible
  • Source-based RTBH drops traffic at the network edge based on a specific source address or range of source addresses. This method uses the same trigger mechanism as destination-based RTBH. The main difference here is that it is a lot easier to roll-back, but care needs to be taken not to lose track of the addresses on the blacklist and also that that only properly validated external BGP requests are allowed to blackhole any addresses

The key benefits of RTBH

Security – RTBH is a highly effective way for customers to block malicious traffic, like in a DDoS attack and damage can be mitigated at an early stage. For example, if non-legitimate traffic is coming from a specific route, or if the routes themselves need to be blocked, we can blackhole them either at the edge of the customer’s network or the edge of ours and eliminate the problem quickly and effectively.

Self-service – since RTBH can be triggered by a community advertisement, customers can initiate blackholing themselves in the event of an attack, without contacting a NOC and thereby saving valuable time.

Reliability – Customer-triggered blackholing is not without risk. However, Arelion has developed a detection mechanism that allows the validation of these requests - both against centralized RPKI databases and by internal route analysis, to avoid unintentional mistakes and route hijacks.

Transparency –  the power to blackhole traffic is placed in the customers hands, allowing them to manage network attacks as and when they see fit.

RTBH limitations

Although RTBH is automated and therefore faster to implement than other DDoS mitigation techniques, it is a fairly blunt instrument, just like all other black-holing methods. Traffic filtering is indiscriminate and all traffic to and from blackholed IP addresses will be dropped, even if it is legitimate.

Why Arelion?

The best network

Operating the world’s #1 IP backbone, with 350+ PoPs globally, gives us the scale to absorb a DDoS attack more easily than smaller networks. When a customer blackholes an attack, the remainder of Arelion’s network preserves their network integrity by cushioning the impact with our high-capacity global network infrastructure and robust peering agreements.

Customer care and customer experience 

An industry leading NPS score, fast delivery and full-service visibility through the MyArelion portal are all unique benefits of the Arelion experience and we are fully resourced to act resolutely and quickly if an attack escalates beyond a customer’s ability to contain it. Our highly skilled and dedicated customer service team is always on hand to provide assistance when needed. More than 90% of our customer support engineers have university education in technology (33% have double degrees) and we have sustained 20% YoY NPS (customer satisfaction) growth over the past decade.

Specialization

As a pioneer of global Internet route validation with our RPKI adoption, you can rest assured that we have the expertise to provide an industry-leading and dependable blackholing service.

BGP and Routing

BGP (Border Gateway Protocol) routing is the central nervous system of the Internet. Stable and efficient IP routing between different Autonomous Systems (AS) is essential for the security of the entire Internet ecosystem. Our BGP communities and the added security of RPKI enable manageable and reliable traffic flows.

Looking Glass

Whether you're just curious or need some tools to check your connectivity, our looking glass puts you at the heart of our network.

IP Network Performance

World-class connectivity starts with a competitive network SLA. Here you can find monthly IP network performance metrics for our global Internet backbone, AS1299.