Deploy360 28 July 2014

Video: Selective Blackholing at RIPE 68

Andrew Mcconachie
By Andrew McconachieFormer Intern
Securing BGP

Until such time as we succeed in preventing IP spoofing in the Internet, Distributed Denial of Service(DDOS) attacks are going to be a problem. Job Snijders, gave a presentation at RIPE 68 detailing some work he has been doing on implementing selective blackholing for operators under DDOS attacks.

His selective blackholing configuration and associated scripting is meant to be applied when under a sustained DDOS attack, not during general operation. It essentially gives operators who provide transit services to one or more customers the ability to selectively blackhole traffic based on geographical determinants.

The example given in the presentation is of a customer under sustained DDOS attack who is able to blackhole all traffic coming from more than 1,000km away. This can be effective when that customer knows the only people visiting their website are within their own geograhpic proximity.


The presentation video is available on the RIPE 68 website along with the associated slides. Job has also written a lengthy email explaining in more detail how to implement selective blackholing.

When you’re finished viewing the presentation check out our Securing BGP and Anti-spoofing pages for more information on securing the Internet’s routing protocol.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...