Back to Blog

What Is BGP Blackhole Routing?

BGP blackhole routing, formally known as Remotely Triggered Black Hole (RTBH) routing, is a technique that uses BGP to instruct upstream routers to drop all traffic destined for a specific IP address or prefix. When you trigger a blackhole, traffic to the targeted IP is discarded at your upstream provider's edge routers before it ever reaches your network. This protects the rest of your infrastructure from collateral damage caused by a large volumetric attack.

The mechanism is simple in concept: you announce a /32 route (a single IP) to your upstream provider with a special BGP community that signals "drop all traffic to this destination." The provider's routers install this route pointing to a null interface, effectively creating a black hole that swallows all traffic to that IP.

Why It Exists

Consider a scenario where a single IP on your network is receiving a 400 Gbps DDoS attack. Your upstream transit link is 10 Gbps. The attack traffic is so large that it saturates the entire transit link, affecting all services on your network - not just the targeted IP. Without intervention, every server behind that link experiences packet loss and connectivity issues. A BGP blackhole sacrifices the attacked IP to save the rest of the network.

BGP blackholing is a trade-off: you make the attacked IP unreachable to everyone (including legitimate users) in exchange for protecting the rest of your network. The attacker technically "wins" against that single IP, but your other services stay online.

How RTBH Works

Standard Destination-Based RTBH

In destination-based RTBH, you announce the victim's IP with a blackhole community. All traffic destined for that IP is dropped at the upstream router. This is the most common form and is supported by virtually all transit providers.

  1. The target IP (e.g., 198.51.100.10/32) is receiving a massive DDoS attack.
  2. You configure your edge router to announce 198.51.100.10/32 with a next-hop of a designated blackhole address (commonly 192.0.2.1) and tag it with your provider's blackhole BGP community (e.g., 65000:666).
  3. Your upstream provider receives the announcement, recognizes the blackhole community, and installs a route for 198.51.100.10/32 pointing to Null0.
  4. All traffic destined for 198.51.100.10 is dropped at the provider's edge, never reaching your transit link.
# Example: FRRouting (FRR) configuration for RTBH
router bgp 65001
  neighbor 10.0.0.1 remote-as 65000

  address-family ipv4 unicast
    # Announce blackhole route
    network 198.51.100.10/32 route-map BLACKHOLE
  exit-address-family

route-map BLACKHOLE permit 10
  set ip next-hop 192.0.2.1
  set community 65000:666

ip route 198.51.100.10/32 Null0
ip route 192.0.2.1/32 Null0

Source-Based RTBH (S/RTBH)

Source-based RTBH is more surgical. Instead of dropping all traffic to the victim, it drops traffic from specific source IPs or prefixes. This is useful when the attack comes from a small number of sources. However, source-based RTBH requires uRPF (Unicast Reverse Path Forwarding) in loose or strict mode on the provider's edge routers, and not all providers support it.

When to Use BGP Blackholing

BGP blackholing should be a last resort, not a first response. Use it when:

  • Attack traffic exceeds your link capacity: If the attack is larger than your transit link, host-level mitigation is irrelevant because the traffic never reaches your server.
  • Collateral damage is worse than losing one IP: When the attack on one IP degrades service for all IPs on your network.
  • Scrubbing services are not available or activated: BGP blackholing works immediately once announced. Scrubbing service activation can take minutes to hours.
  • You can move services to alternative IPs: If you can quickly migrate the attacked service to a different IP, blackholing the old IP has minimal impact.

Do not use BGP blackholing when:

  • The attack is within your link capacity and can be handled with host-level filtering.
  • The attacked IP is your only IP and blackholing it takes your entire service offline.
  • A scrubbing service is available and can be activated quickly.

Provider BGP Community Reference

Every transit provider uses different BGP communities for blackhole signaling. Here are some common ones:

Provider                 Blackhole Community
─────────────────────────────────────────────
RFC 7999 (standard)      65535:666
Cogent                   174:997
Lumen / Level3           3356:9999
NTT / Verio              2914:666
Telia                    1299:9999
Hurricane Electric       6939:666
GTT                      3257:666
Zayo                     6461:5000:8001
OVH                      16276:666
Hetzner                  24940:666

RFC 7999: The IETF standardized BGP community 65535:666 (BLACKHOLE) specifically for blackhole routing. Many providers now accept this universal community in addition to their own proprietary ones. Always verify with your provider which communities they support.

Detection Enables Faster Response

The faster you detect an attack, the faster you can decide whether to trigger a blackhole. Flowtriq's per-second monitoring detects volumetric attacks within 1-2 seconds and immediately classifies the attack type. The alert includes the target IP, attack volume (PPS and BPS), protocol breakdown, and top source IPs - all the information you need to make a blackhole decision.

For organizations with automated blackhole infrastructure, Flowtriq's webhook integration can trigger your blackhole announcement scripts automatically when attack traffic exceeds configurable thresholds. This reduces response time from minutes (human-in-the-loop) to seconds (automated).

Removing the Blackhole

Blackholes should be temporary. Once the attack subsides, remove the blackhole announcement to restore normal traffic flow. Best practices:

  • Monitor the attack traffic volume through your provider's looking glass or monitoring tools.
  • Wait at least 30 minutes after traffic returns to baseline before removing the blackhole.
  • Remove the blackhole by withdrawing the /32 route announcement.
  • Monitor closely for 24 hours after removal - attacks often resume once the target becomes reachable again.
  • Have your mitigation strategy ready in case the attack restarts.

Flowtriq helps here too: after removing a blackhole, Flowtriq monitors the IP's traffic in real time and will alert you instantly if the attack resumes, allowing you to re-enable the blackhole within seconds.

Get started with Flowtriq's free 7-day trial to add per-second detection to your DDoS response toolkit.

Back to Blog

Related Articles

Mitigations

UDP flood mitigation techniques that actually work

Proven mitigation strategies from iptables rules to upstream filtering.
Attack Analysis

Multi-vector DDoS: why single-protocol detection fails

How sophisticated attackers rotate protocols to evade simple threshold detection.
Forensics

What your PCAP can tell your ISP

How to present PCAP evidence when requesting upstream mitigation.