To mitigate DDoS attack, CXC provide a blackhole next-hop address for both IPv4 and IPv6 address-families. These next-hop addresses will resolves (via ARP/ND) to a predefined blackhole MAC address, which will be dropped by our switch port ingress filter where members are directly connected and thereby preventing DDoS traffic from reaching its destination. CXC blackholing (BH) service is available on our Route Servers (RS) and members are encouraged to participate.
Below table contain CXC blackhole next-hop address and BGP BLACKHOLE community information.
| Cluster | IPv4 Address | IPv6 Address | IPv6 Link-Local Address | Mac Address | BLACKHOLE Community |
|---|---|---|---|---|---|
| Denpasar | 103.225.171.6 | 2400:9c80:0:171::666 | fe80::dcad:beff:feef:1666 | de:ad:be:ef:16:66 | 65535:666 |
| Jakarta | 103.225.172.66 | 2400:9c80:0:173::172:666 | fe80::dcad:beff:feef:2666 | de:ad:be:ef:26:66 | 65535:666 |
Below are guideline and restrictions when using blackholing service via RS:
To participate in CXC blackholing service, members MUST allow IP v4v6 prefixes marked with BLACKHOLE community (65535:666) through their inbound filter. This blackholing inbound filter should be place above any existing inbound policies that you have to ensure it will not be bypass.
To ensure member’s inbound filter are configured correctly, CXC provide a permanent test IP v4v6 blackhole prefixes. Member will need to verify they can receive this test prefix with correct next-hop address and BGP communities in their routing table.
Cluster Test IPv4 Blackhole Prefix Test IPv6 Blackhole Prefix IPv4 next-hop Address IPv6 next-hop Address BGP Community Denpasar 103.134.77.6 2404:6140:2000::666 103.225.171.6 2400:9c80:0:171::666 65535:666 Jakarta 103.134.76.66 2404:6140::666 103.225.172.66 2400:9c80:0:173::172:666 65535:666 To signal an IP prefix for blackholing, marked the prefix with BLACKHOLE community (65535:666) before advertising to RS. RS will automatically rewrite this prefix’s next-hop address to CXC blackhole next-hop address before announcing to the rest of RS clients.
Members MUST enable send-community for both BGP v4v6 address-family.
RS only allowed blackhole IP prefixes from below size:
- IPv4 /25 to /32
- IPv6 /49 to /128
Members can only advertise blackhole IP prefixes from their own address space.
Blackhole IP prefixes should not be advertise outside their local AS.
