This document discusses the use of BGP communities and route servers at CATNIX to facilitate interconnection and mitigate DDoS attacks. It provides a history of BGP and RFCs related to communities. CATNIX uses well-known and custom communities on its route servers to control route propagation and implement a blackholing service. The blackholing service allows members to redirect traffic for attacked prefixes to a blackhole server where it is dropped, providing DDoS mitigation. An example is given of how a member would configure route announcements to make use of the blackholing service during an attack.

1. Communities and DDoS Mitigation at CATNIX
Maria Isabel Gandía Carriedo
CSUC/CATNIX
26-11-2021

2. History and RFCs (I)
1994 1995 1996 1998 2004
1982 1984 1989 1990 1991
GGP
(RFC 823)
EGP
(RFC 827)
EGP
(RFC 888/904)
BGPv1
(RFC 1105)
BGPv2
(RFC1163)
BGPv3
(RFC 1267)
BGPv4
(RFC1654)
BGPv4
(RFC 1771)
Communities
(RFC1997)
MP-BGP
(RFC2283)
NOPEER
Community
(RFC3765)

3. History and RFCs (II)
2016 2017 2017 2018 2021
2006 2006 2007 2009 2014
BGP Support
for Four-octet
AS Number
Space
(RFC 4893)
4-Octet
AS Specific
BGP Extended
Community
(RFC 5668)
Blackhole
community
(RFC 7999)
Use of BGP
large
communities
(RFC 8195)
Extended
Communities
(RFC4360)
BGP large
communities
(RFC 8092)
Graceful BGP
Session
Shutdown
(RFC 8326)
BGPv4 CIDR
(RFC4271)
IANA
Registries for
Extended
Communities
(RFC4360)
Extended
Optional
Parameters
for BGP Open
Message
(RFC 9072)

4. IANA BGP Well-Known Communities
https://www.iana.org/assignments/bgp-well-known-communities/bgp-well-known-communities.xhtml
Attribute Value Attribute Reference
0x00000000-0x0000FFFF Reserved [RFC1997]
0x00010000-0xFFFEFFFF Reserved for Private Use [RFC1997]
0xFFFF0000 GRACEFUL_SHUTDOWN [RFC8326]
0xFFFF0001 ACCEPT_OWN [RFC7611]
0xFFFF0002 ROUTE_FILTER_TRANSLATED_v4 [draft-l3vpn-legacy-rtc]
0xFFFF0003 ROUTE_FILTER_v4 [draft-l3vpn-legacy-rtc]
0xFFFF0004 ROUTE_FILTER_TRANSLATED_v6 [draft-l3vpn-legacy-rtc]
0xFFFF0005 ROUTE_FILTER_v6 [draft-l3vpn-legacy-rtc]
0xFFFF0006 LLGR_STALE [draft-uttaro-idr-bgp-persistence]
0xFFFF0007 NO_LLGR [draft-uttaro-idr-bgp-persistence]
0xFFFF0008 accept-own-nexthop
[draft-agrewal-idr-accept-own-
nexthop]
0xFFFF0009 Standby PE [RFC9026]
0xFFFF000A-0xFFFF0299 Unassigned
0xFFFF029A BLACKHOLE [RFC7999]
0xFFFF029B-0xFFFFFF00 Unassigned
0xFFFFFF01 NO_EXPORT [RFC1997]
0xFFFFFF02 NO_ADVERTISE [RFC1997]
0xFFFFFF03 NO_EXPORT_SUBCONFED [RFC1997]
0xFFFFFF04 NOPEER [RFC3765]
0xFFFFFF05-0xFFFFFFFF Unassigned

5. Communities – Well-known and Not-so-well-known
 Created to facilitate and simplify the control of routing information.
 A community “classifies” routes.
 Each AS can define to which communities a network belongs.
 A router (BGP speaker) can modify the communities according to its own
policy.
 Usign them to indicate local-preferences is quite common.
Communities for some companies at https://onestep.net/communities/

6. Communities at CATNIX
ACTION
BGP
Standard
Community
(RFC 1997)
BGP Extended
Community
(RFC 4360)
BGP Large Community
(RFC 8092)
No export 65535:65281 rt:65281:peer_as 65535:65281:peer_as
No advertise 65535:65282 rt:65282:peer_as 65535:65282:peer_as
No advertise to anybody 0:60082 rt:0:60082 60082:0:0
No advertise to a peer 0:peer_as rt:0:peer_as 60082:0:peer_as
Advertise to a peer 60082:client_asn rt:60082:client_asn 60082:1:client_asn
Prepend to a peer 65511:peer_as rt:65511:peer_as 60082:101:peer_as
2 prepends to a peer 65512:peer_as rt:65512:peer_as 60082:102:peer_as
3 prepends to a peer 65513:peer_as rt:65513:peer_as 60082:103:peer_as
Prepend to all 65501:60082 rt:65501:60082 60082:101:0
2 prepends to all 65502:60082 rt:65502:60082 60082:102:0
3 prepends to all 65503:60082 rt:65503:60082 60082:103:0
Blackhole 65535:666 rt:65535:666 60082:666:0

7. Route-Servers at CATNIX (I)
 They help simplifying the interconnection ( peers without RS vs
n peers with RS).
 Route-servers tell the other ASs where your routes are, but your traffic
does not traverse them (they are in the control plane, not the data plane).
RS1
AS60082
RS2
AS60082
RS3
AS60082
AS64497
I announce
192.0.2.0/24 to the RS
I peer with the RS, I
receive the next-
hop for 192.0.2.0/24
is the router in
AS64496
AS64496
BGP
Data
2
)
1
( 
 n
n

8. Route-Servers at CATNIX (II)
 The communities are optional attributes to tag the routes, that you can
include in your announcements to make the route-servers take an action
(add prepends, filter announcements, etc).
 All the route-servers apply RPKI filtering (they filter according to the data
in the IRR and the RPKI ROAs).
 Our RSs are MANRS-compliant.
RS1
AS60082
RS2
AS60082
RS3
AS60082

9. Route-servers at CATNIX (III)
 06-04-2018: First route-server:
• AS60082
• 193.242.98.98/24
• 2001:7f8:2a:0:1:1:6:0082/48
 21-06-2019: Second route server at bitNAP:
• AS60082
• 193.242.98.103/24
• 2001:7F8:2A:0:3:2:6:82/48
 10-10-2019: blackholing service operational
 25-06-2020: Third route-server at Equinix:
• AS60082
• 193.242.98.100/24
• 2001:7f8:2a:0:2:1:6:82 /48
 All the route servers have the blackholing service activated.

10. Blackholing in CATNIX
CATNIX #39 Nov’18:
To adopt the the RFC 7999 to implement blackholing with
communities in order to signal and stop possible DDoS
attacks traversing the IX.
BLACKHOLE = 0xFFFF029A
To configure the RFC 7999 recommended communities in
the route-servers.
 The low-order two octets in decimal are 666, a value commonly
associated with BGP blackholing among network operators.
 CATNIX members can use this well-known community to stop possible
DDoS attacks traversing the IX.

11. Blackholing Service
 The blackhole server is at Campus Nord:
• 193.242.98.101/24 in IPv4
• 2001:7F8:002A:0:1:1:6:5666/48 in IPv6
 If you need the route servers to send the traffic of one of your prefixes to
blackhole (close to /32 in IPv4 and /128 in IPv6), label it with:
• The community 65535:666 (0xFFFF029A) or
• The extended community rt:65535:666 or
• The large community 60082:666:0
in the announcements to the route-servers.
• Any traffic you send to the blackhole server will be dropped by the switch at the
L2 level.
Restricted

12.  Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496

13.  Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS

14.  Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS

15.  Let’s imagine you are AS64496, peering at CATNIX, and you receive an
attack to our IP address 192.0.2.1.
 Ask the RSs to send the traffic to the blakhole using the 65535:666
community and the switches will filter the traffic with destination this server.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
and 192.0.2.1/32 with
the blackholing
community

16.  Let’s imagine you are AS64496, peering at CATNIX, and you receive an
attack to our IP address 192.0.2.1.
 Ask the RSs to send the traffic to the blakhole using the 65535:666
community and the switches will filter the traffic with destination this server.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
and 192.0.2.1/32 with
the blackholing
community

17.  Let’s imagine you are AS64496, peering at CATNIX, and you receive an
attack to our IP address 192.0.2.1.
 Ask the RSs to send the traffic to the blakhole using the 65535:666
community and the switches will filter the traffic with destination this server.
How does it work?
RS1
AS60082
RS2
AS60082
RS3
AS60082
Blackhole
193.242.98.101
Attacker Attacker
Victim
192.0.2.1
AS64496
I announce
192.0.2.0/24 to the RS
and 192.0.2.1/32 with
the blackholing
community
x

18. Example
 Let’s imagine you are AS64496, peering at CATNIX, and you receive
an attack to our IP address 192.0.2.1. You can ask any of the route-
servers (193.242.98.98, 193.242.98.100, 193.242.98.103) to send the
traffic to the blakhole server and the switches will filter the traffic with
destination this server.
route-map blackhole permit 10
set community 65535:666
router bgp 64496
network 192.0.2.0 mask 255.255.255.0
network 192.0.2.1 mask 255.255.255.255 route-map blackhole
neighbor 193.242.98.98 remote-as 60082
neighbor 193.242.98.98 peer-group CATNIX-RS-IP4
neighbor 193.242.98.98 description EXAMPLE
address-family ipv4
neighbor 193.242.98.98 activate

19. Other options
 You can tell your peers to send the traffic to the attacked IP directly to
the blackholing server 193.242.98.101. The switches will filter the
traffic with this destination (they must accept that your small prefixes).
RS1
AS60082
RS2
AS60082
Attacker Attacker
x
RS3
AS60082
Blackhole
193.242.98.101
I announce
192.0.2.0/24
and 192.0.2.1/32 with
the blackholing
community to my peers

20. Other options
 You can tell your peers to send the traffic to the attacked IP directly to
the blackholing server 193.242.98.101. The switches will filter the
traffic with this destination (they must accpt that your small prefixes).
RS1
AS60082
RS2
AS60082
Attacker Attacker
I announce
192.0.2.0/24
and 192.0.2.1/32 with
next-hop
193.242.98.101 to my
peers
x
RS3
AS60082
Blackhole
193.242.98.101

21. Thank you for your attention!
mariaisabel.gandia@csuc.cat