A technical post for a change...
BGP is the protocol that distributes routes around the Internet, and one of the features of BGP is the "community tags" that can be attached to a route announcement.
There are a few that are standard and useful, such as limiting the announcements to the local AS.. Community tags are also often used in networks to tag from where the route came in to the network.
NTT (one of the big transit providers) have a great page on how they use communities, here. They use them not only to identify where routes came in, but also to control how routes are handled in their network.
A community tag is 32 bits and conventionally written as decimal 16 bits, colon, and decimal 16 bits. Where you have an AS number that fits in 16 bits it is common for the first 16 bits to be the AS that defines or uses the tag.
Now, one of the most important community tags you can use is surprisingly not standardised. It is the blackhole tag. The idea is that you can mark a route sent around by BGP that is "Do not route this", and just throw away any traffic to this prefix. The prefix is usually one address (IPv4 /32 or IPv6 /128).
There are two key ways an ISP can use Blackhole routes...
One is within their network, ensuring that their IBGP spreads the route and tags it so that each and every one of their routers knows not to route any traffic for the specified prefix. This helps ensure packets arriving at any ingress are dropped immediately to mitigate damage. It does not help much if the ingress is flooded though.
The other is for an ISP to tag the route and announce to their peers, and transit, so that they do the same. This helps avoid flooding the ingress points as the peer/transit is filtering in their network.
This is all quite important for managing Denial Of Service (DOS) attacks. Even if the target is one IP, which is not always the case, the traffic can be crippling. So an ISP that can tell their peers and upstream transit providers not to send the traffic to them, for that one IP, can stay on-line. The transit provider can spread this to all of their ingress points ensuring their network is not flooded further, and maybe even to their peers to push back further to the source of the traffic.
Over the last few days, for reasons that will be obvious if you have followed A&A status pages, I have been working on ways to make FireBricks smarter in their handling of Blackhole routes.
I could leave it to FireBrick customers, making rules to handle the way community tags are processed, but even that did not allow a route to be treated as a black hole, just drop it. So what I did is create ingress and egress blackhole community tag handling.
Anyone sending us traffic with a specific community (for A&A it is 20712:666) has the route treated as a blackhole route. Obviously the route has to pass any other input filters, so customers can only announce their own IPs to us. This route spreads around our network so every router knows it is a black hole.
Secondly, announcing any blackhole route to peers is special. We only send on IBGP (ensuring our black hole community tag is present), or if configured we send on EBGP with the peers black hole community tag, such as 2914:666 for NTT.
This means that anywhere in our network, even from a customer, we can create a blackhole route, and our whole network knows - all routers will drop traffic to the target IP. It also means we then tell all transit and peers that have blackhole community tags to do the same. Obviously if we can do this at peering points as well as transit then it is a massive help.
We have even made a system so a "connected" DSL line that is subject to a DOS attack can be marked as blackhole routed and that route go around our network and to peers and transit for a few minutes to mitigate the attack automatically!
Of course, there are attacks this will, by no means, fix. All it means is that an ISP is better able to partition out IPs as under attack and help avoid impact on other customers. As a feature it is good for FireBrick to be able to offer this to ISPs.
What is odd is that there is not a pre-defined standard blackhole community tag.
P.S. Every one of the millions of DOS attack packets per second will probably need to create an "Internet Connection Record" under the new IPBill so will mean DOSing the DPI boxes the government want installed.