Defending against an IPv4 DDoS attack

Vocus provide a RTBH (remotely triggered black hole) mechanism for our customers to use in order to mitigate incoming attack traffic from undesirable sources. Whilst not the most desirable of defence mechanisms as it results in total loss of service to a destination host, it can be useful to limiting impact to other users on your network in the case that your connection to the Vocus network becomes saturated.

Vocus configure this as part of our standard transit product but in order to make use of it, customers are required to ensure they are sending us BGP communities across their peering session ("neighbor x.x.x.x send-community" in Cisco IOS). In order to make use of the ASN:XX format on a Cisco device, you'll also require the "ip bgp-community new-format" command.

Once you are sending us BGP communities, attach 4826:666 to any announcement you wish to initiate a blackhole on. This will cause all traffic destined for that prefix to be dropped at our network boundary on ingress.

There are several techniques available to detect an attack on your network but if you notice a large incoming traffic spike, the easiest way to spot it is using NetFlow and looking for a large number of flows to a single host (the most common type of attack we see). Other methods of detection include spanning your transit port to another device that is running "snort" or similar software for analysis or use of third-party appliances.

Due to the large volume of traffic running over our own network and the CPU intensive nature of NetFlow, we can assist customers on request but do not normally have these features enabled on all ports.

Any prefix that falls within a customer's filters will be accepted for black holing, down to a /32 host route. This means if you were advertising a.b.c.0/24 to us normally as a transit prefix, we will accept a.b.c.99/32 or a.b.c.128/25 (as examples) for blackholing - provided they also have the 4826:666 community attached to the announcement.

If you require a source based black hole (blocking of a /32 source IP), we can deploy this inside our network but require an email be sent to support@vocus.com.au with the details and if critically urgent, a follow up phone call to the NOC number to ensure this request is actioned immediately. For security reasons we are unable to provide customers access to initiate these blocks themselves.

Please email questions or comments to Vocus NOC.