SEECIX Blackholing Guide

Blackholing is typically used to fight massive DDoS attacks which congest the physical connection between SEECIX and a customer router. A detailed description of how Blackholing works at SEECIX is available here

Besides signaling a blackhole via direct peering, you can signal blackholes via the route servers at SEECIX.

Blackholing via direct peering

You have to set the appropriate BGP next-hop (your router IP) manually when signaling a blackhole on a direct peering session. 

Please also ask you peers to accept up to /32 for IPv4 and up to /128 for IPv6 from you, for allowing the service to work correctly.

Blackholing via the Route Servers

If you want to blackhole a certain IP prefix by using the SEECIX route servers, there are two ways of achieving this:

  • The BGP announcement carrying the IP prefix that should be blackholed is marked with the BLACKHOLE BGP Community (65535:666). This is the recommended way as it makes the handling a lot easier. 
    or
  • The BGP announcement carrying the IP prefix that should be blackholed contains a pre-defined blackhole IP address as a BGP next-hop. The table below lists the IPv4 and IPv6 blackhole IP addresses for SEECIX and interconnected IXPs:
IXPBlackhole Next-Hop IP address IPv4Blackhole Next-Hop IP address IPv6BGP BLACKHOLE Community
SEECIX185.1.172.662001:7f8:f5::de1a:b:dead65535:666
DE-CIX Frankfurt80.81.193.662001:7f8::1a27:66:95

Please do not set the NO-EXPORT or NO-ADVERTISE Community on the BGP announcements marked as blackhole as this tells the route servers to not re-distribute this announcement. The route servers will add NO-EXPORT automatically. 

Configuration examples of how to setup a BGP session to the route server can be found in the SEECIX Route Server Guide.