Qos Mpls

WHITE PAPER

REMOTELY TRIGGERED BLACK HOLE FILTERING— DESTINATION BASED AND SOURCE BASED
Remotely triggered black hole (RTBH) filtering is a technique that provides the ability to drop undesirable traffic before it enters a protected network. This document describes RTBH filtering and its merits, operational gains, applications, and deployment considerations and provides sample routerconfigurations. This document describes the mitigation of distributed-denial-of-service (DDoS) attacks within a single Interior Gateway Protocol (IGP) domain. This document does not describe how to use RTBH filtering for mitigating the attack across multiple providers. This document is intended for network design architects, support engineers, and marketing professionals who are responsible forplanning, designing, implementing, and operating networks. OVERVIEW This section describes RTBH filtering and how it is used for both destination-based and source-based filtering. This section includes the following topics: • Benefits of Remotely Triggered Black Hole Filtering • Remotely Triggered Black Hole Filtering Within the Service Provider Security Framework • Destination-Based • Source-BasedBenefits of Remotely Triggered Black Hole Filtering Black holes, from a network security perspective, are placed in the network where traffic is forwarded and dropped. Once an attack has been detected, black holing can be used to drop all attack traffic at the edge of an Internet service provide (ISP) network, based on either destination or source IP addresses. RTBH filtering is a technique that usesrouting protocol updates to manipulate route tables at the network edge or anywhere else in the network to specifically drop undesirable traffic before it enters the service provider network. RTBH filtering provides a method for quickly dropping undesirable traffic at the edge of the network, based on either source addresses or destination addresses by forwarding it to a null0 interface. Null0 isa pseudointerface that is always up and can never forward or receive traffic. Forwarding packets to null0 is a common way to filter packets to a specific destination. RTBH filtering is not a specific Cisco IOS® Software feature, but rather a technique that incorporates a set of well-coordinated configurations across multiple routers. RTBH filtering is one of the many techniques in the securitytoolkit that can be used together to enhance network security in the following ways: • Effectively mitigate DDoS and worm attacks • Quarantine all traffic destined for the target under attack • Enforce blacklist filtering A typical deployment scenario for RTBH filtering would require running internal Border Gateway Protocol (iBGP) at the access and aggregation points and configuring a separatedevice in the network operations center (NOC) to act as a trigger. The triggering device sends iBGP updates to the edge, that cause undesirable traffic to be forwarded to a null0 interface and dropped.

All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement. Page 1 of 37

Destination-Based Remotely Triggered Black Hole FilteringWith a denial-of-service (DoS) attack, in addition to service degradation of the target, there is possible collateral damage such as bandwidth consumption, processor utilization, and potential service loss elsewhere in the network. One method to mitigate the damaging effects of such an attack is to black hole (drop) traffic destined to the IP address or addresses being attacked and to filter theinfected host traffic at the edge of the network closest to the source of the attack. The challenge is to find a way to quickly drop the offending traffic at the network edge, document and track the black holed destination addresses, and promptly return these addresses to service once the threat disappears. Destination-based IP black hole filtering with remote triggering allows a network-wide...