Anti-DDoS Support on MMIX Route Servers
MMIX provides Remote Triggered Black Hole Filtering (RTBH) to help mitigate DDoS attacks.
Remote Triggered Black Hole Filtering (RTBH)
MMIX Supports RTBH for announcement of black-hole filtering. In order to facilitate better routing management for routes being advertised via MMIX Route Servers, we highly recommend all members to make use of BGP community tagging when they announce/receive BGP routes to/from the MMIX route servers.
- Trigger member routers to discard (null) route for a specific address.
- MMIX route servers will ONLY accept /32s with BGP community tagged for MMIX filtering and forward the network prefixes to member routers.
- The next-hop address used for destination based RTBH filtering. MMIX members should configure their routers to discard the traffic or point to a "null" interface if they received the route with related RTBH community and next hop address.
RTBH Config Guideline for MMIX members
Configure to trigger RTBH
ip prefix-list PRF-RTBH permit x.x.x.x/32
!
route-map RM-MMIX-OUT permit 10
match ip address prefix-list PRF-RTBH
set community 9654:66 additive
route-map RM-MMIX-OUT permit 100
Note
For Mandalay peering, use community instead of in the route-map configuration.
Activation RTBH Route
ip prefix-list PRF-MMIX-HOST permit 0.0.0.0/0 ge 32
!
ip community-list standard CM-MMIX-RTBH seq 5 permit 9654:66
route-map RM-MMIX-IN permit 10
match ip address prefix-list PRF-MMIX-HOST
match community CM-MMIX-RTBH
route-map RM-MMIX-IN permit 10000
!
ip route 103.116.194.66 255.255.255.255 null 0
interface Null0
no ip unreachables
How to verify the configuration:
- Go to MMIX Looking Glass
- Select Route Server and Enter your profile by clicking Short Name under "Description" row.
- If your configuration working well, you can see x.x.x.x/32 prefix with 9xxx:66 community valute in routing table.