Blackholing IP address on Cisco | GOLINE
Goline Logo



  • Route RPKI validation April 1st, 2022
    RPKI is a security framework by which network owners can validate and secure the critical route updates or Border Gateway Protocol (BGP) announcements between public Internet networks. BGP is essentially the central nervous system of the Internet and one of its fundamental building blocks. The main function of BGP is to facilitate efficient routing between Autonomous Systems (AS), by building and maintaining the Internet routing table. The Internet routing table is effectively the navigation system of the Internet and without it, traffic would be unable to flow between its constituent networks. Unfortunately, routing equipment alone cannot distinguish between legitimate and malicious routing announcements,...
  • RIPE – Atlas Anchor February 17th, 2022
    We have become an even more integral part of the RIPE Atlas project by hosting an anchor, a device that allows for latency analysis of traffic between autonomous systems. Atlas anchors play an integral role in the RIPE Atlas network by acting both as enhanced RIPE Atlas probes with more measurement capacity, as well as regional measurement targets within the greater RIPE Atlas network. Anchors are able to perform many more measurements than a regular RIPE Atlas probe, and the large amount of data they collect is made available to everyone. In addition, anchors act as powerful targets that can...
  • MANRS June 20th, 2020
    GOLINE firmly believes in initiatives to protect networks, improve security and resilience of the global routing system. Therefore we decided to support the MANRS project and join as participants.Mutually Agreed Norms for Routing Security (MANRS) is a global initiative, supported by the Internet Society, that provides crucial fixes to reduce the most common routing threats. MANRS offers specific actions via four programs for Network Operators, Internet Exchange Points, CDN and Cloud Providers, and Equipment Vendors. Requirements for Participation Please read the full MANRS Actions document before applying. You can become a participant if you meet these requirements: You (or your company) support...

Blackholing IP address on Cisco

Paolo Caparrelli Cisco 22 June 2022

# configure blackhole interface
Router(config)# int null0
Router(config-if)# no ip unreachables
# blackholing ip address
Router(config)# ip route null0

Remotely-Triggered Black Hole (RTBH) Routing

By stretch | Monday, July 6, 2009 at 5:05 a.m. UTC

Remotely-Triggered Black Hole (RTBH) routing is an interesting application of BGP as a security tool within service provider networks. One common use is mitigation of distributed denial of service (DDoS) attacks, as this article will explore.

Pictured below is a (very) simplified service provider architecture.


Routers 1 through 4 compose the network core, and router 9 functions as a standalone "management" router for route injection. OSPF is running across the core to exchange internal routes. Each router in this core square also maintains an iBGP adjacency with the other core routers, and with router 9. The server at represents the target of a DDoS attack.

Assume a DDoS attack is launched from the public Internet toward the customer server at The throughput consumed is so excessive that the attack is impacting the entire internal infrastructure and must be blocked at the edge. Due to the distributed nature of the attack, we must block at the edge all inbound traffic destined for the victim. Rather than resorting to laborious and error-prone access lists, we can utilize BGP and RTBH to quickly achieve the desired result.

Step 1: Null route preparation

The first two steps in configuring RTBH should ideally be completed prior to an attack.

RTBH works by injecting a specially-crafted BGP route into the network, forcing routers to drop all traffic with a specific next-hop — effectively creating a "black hole." We create a static route on all BGP routers for this next-hop address:

R1(config)# ip route Null0

This route forces any traffic destined for to be immediately dropped by the router. This route is added to all edge routers (R1 and R2) in our example lab.

Note that any IP address can be used for this black hole route; we use an IP from the reserved Test-Net range (see RFC 3330) here out of convenience, as this IP should never appear on a routed network.

Step 2: Route-map preparation

As with the first step, this configuration should also be completed prior to an attack.

A route-map is created to redistribute certain tagged static routes into BGP with a modified next-hop value:

R9(config)# route-map RTBH

R9(config-route-map)# match tag 666

R9(config-route-map)# set ip next-hop

R9(config-route-map)# set origin igp

R9(config-route-map)# set community no-export

This is the key component to RTBH: any route advertised to an edge router with a next-hop of will force recursion to the static Null0 route we implemented in the prior configuration, and any matching traffic will be dropped.

Enable static route redistribution into BGP for the route-map to take effect:

R9(config)# router bgp 65100

R9(config-router)# redistribute static route-map RTBH

Step 3: Create a victim route on the management router

Once an attack is detected and the decision is made to block traffic, a static route for the victim address is created on the management router (R9):

R9(config)# ip route Null0 tag 666

Ideally, we would like to simply advertise this route to the edge BGP routers, but a route cannot be advertised as having an invalid next-hop. So, we've added a tag value to ensure that our RTBH route-map redistributes the route into BGP with a modified next-hop. Note that the no-export community has been appended here to avoid accidentally exporting the route beyond the local AS.

With our victim route injected, we can verify that the edge routers now drop all traffic bound for that prefix:

R1# show ip route

Routing entry for

  Known via "bgp 65100", distance 200, metric 0, type internal

  Last update from 00:06:14 ago

  Routing Descriptor Blocks:

  *, from, 00:06:14 ago

  Route metric is 0, traffic share count is 1

  AS Hops 0

R1# show ip route

Routing entry for

  Known via "static", distance 1, metric 0 (connected)

  Routing Descriptor Blocks:

  * directly connected, via Null0

  Route metric is 0, traffic share count is 1

Of course, the victim is now unreachable, and we've effectively assisted the DDoS in accomplishing its goal. However we have protected our internal infrastructure (and other customers) from the flood of traffic, affording us time to better investigate and more eloquently mitigate the attack. As you might imagine, there are more advanced implementations of this method which can be used, as future articles will cover.


0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x