A massive DDoS attack is saturating your upstream link. Your entire network is affected because one target is receiving gigabits of attack traffic. You can’t filter it — there’s too much. You can’t absorb it — your link is overwhelmed.
RTBH (Remote Triggered Blackhole) tells your upstream provider: “Drop all traffic to this IP.” The attack traffic is discarded at the upstream, before it reaches your network. Your target is offline, but your network survives.
RTBH sacrifices the target to save the network.
How RTBH Works
Normal:Attack ─→ [ISP] ─→ [Your Router] ─→ [Victim Server] │ Link saturated └─→ [Other Servers] (collateral damage)
With RTBH:Attack ─→ [ISP] ─✕─ (traffic blackholed)
[Your Router] ─→ [Victim Server] (unreachable, but attack stopped) └─→ [Other Servers] (working normally)RTBH Setup
Prerequisites
- BGP session with upstream provider
- Agreement on blackhole community (e.g., ISP_ASN:666)
- Prefix you can announce (/32 or /24 depending on ISP)
Configure Blackhole Route
configure
# Create blackhole next-hopset protocols static route 192.0.2.1/32 blackhole
# This creates a null route locally# Packets to 192.0.2.1 are dropped
commitConfigure BGP to Announce Blackhole
configure
# Define blackhole community (check with your ISP)set policy community-list ISP-BLACKHOLE rule 10 regex "65000:666"
# Route map for blackhole announcementsset policy route-map BLACKHOLE-OUT rule 10 action permitset policy route-map BLACKHOLE-OUT rule 10 match ip address prefix-list BLACKHOLE-PREFIXESset policy route-map BLACKHOLE-OUT rule 10 set community "65000:666"set policy route-map BLACKHOLE-OUT rule 10 set origin igp
# Regular announcementsset policy route-map BLACKHOLE-OUT rule 20 action permit
# Apply to BGP neighborset protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast route-map export BLACKHOLE-OUT
commitTriggering RTBH
Manual Trigger
configure
# Add victim IP to blackhole prefix listset policy prefix-list BLACKHOLE-PREFIXES rule 10 prefix 203.0.113.100/32set policy prefix-list BLACKHOLE-PREFIXES rule 10 action permit
# Ensure route existsset protocols static route 203.0.113.100/32 blackhole
commit
# ISP receives announcement with blackhole community# ISP drops all traffic to 203.0.113.100Remove Blackhole
configure
# Remove from prefix listdelete policy prefix-list BLACKHOLE-PREFIXES rule 10
# Remove blackhole routedelete protocols static route 203.0.113.100/32
commit
# ISP removes blackhole, traffic flows againTrigger Router Architecture
Dedicated Trigger Router
┌─────────────────┐ │ Trigger Router │ │ (announces /32) │ └────────┬────────┘ │ iBGP┌────────────────────────────────────────────────────────────┐│ Your Network ││ [Border1] ════════════════════════════════ [Border2] ││ │ │ ││ └───────────────[ISP A]───────────────────┘ │└────────────────────────────────────────────────────────────┘
Trigger router announces /32 with blackhole communityBorder routers learn and propagate to ISPISP drops traffic to the /32Trigger Router Configuration
configure
# Trigger router (separate from border routers)set protocols bgp system-as 65001set protocols bgp router-id 10.255.0.100
# iBGP to border routersset protocols bgp neighbor 10.255.0.1 remote-as 65001set protocols bgp neighbor 10.255.0.2 remote-as 65001
# Blackhole routes announced via iBGP# Border routers then announce to ISP with community
commitDestination-Based vs Source-Based RTBH
Destination-Based (Common)
# Drop traffic TO the victim# Victim is unreachable but network saved
set protocols static route 203.0.113.100/32 blackhole# Announce 203.0.113.100/32 with blackhole communitySource-Based (If ISP Supports)
# Drop traffic FROM attacker# Victim remains reachable# Requires ISP support for S-RTBH
# Much less common# Check with your specific ISPAutomation
Trigger Script
#!/bin/bashACTION=$1TARGET=$2
VYOS_API="https://localhost/api"API_KEY="your-api-key"
case $ACTION in add) # Add blackhole route vtysh -c "configure terminal" \ -c "ip route $TARGET/32 blackhole"
# Add to prefix list # (requires API or direct config manipulation) echo "Blackhole triggered for $TARGET" ;; remove) vtysh -c "configure terminal" \ -c "no ip route $TARGET/32 blackhole" echo "Blackhole removed for $TARGET" ;;esacIntegration with Monitoring
#!/bin/bash# Monitor traffic to critical IPs# If threshold exceeded, trigger RTBH
THRESHOLD_PPS=1000000 # 1M pps
for ip in $(cat /config/protected-ips.txt); do PPS=$(get_pps_to_ip $ip) # Your monitoring tool
if [ $PPS -gt $THRESHOLD_PPS ]; then /config/scripts/trigger-rtbh.sh add $ip alert_team "RTBH triggered for $ip (${PPS} pps)" fidoneISP Community Reference
Common Blackhole Communities
# Format: ISP_ASN:666 (common convention)
# Check with your specific ISP# Examples (verify before use):# Level3: 3356:666 or 3356:9999# NTT: 2914:666# Cogent: 174:666# Your ISP: Check their BGP community documentationMultiple Upstreams
configure
# Different community per upstreamset policy route-map BLACKHOLE-OUT-ISP1 rule 10 set community "65001:666"set policy route-map BLACKHOLE-OUT-ISP2 rule 10 set community "65002:666"
# Apply to respective neighborsset protocols bgp neighbor 10.0.0.1 address-family ipv4-unicast route-map export BLACKHOLE-OUT-ISP1set protocols bgp neighbor 10.0.1.1 address-family ipv4-unicast route-map export BLACKHOLE-OUT-ISP2
commitVerification
Check Local Blackhole
# Verify blackhole route installedshow ip route 203.0.113.100
# Should show:# B>* 203.0.113.100/32 [20/0] unreachable (blackhole), 00:05:00Check BGP Announcement
# Verify route is being announcedshow bgp ipv4 unicast 203.0.113.100/32
# Check communitiesshow bgp ipv4 unicast 203.0.113.100/32 community
# Should show blackhole community attachedCheck with ISP
# Look at ISP's looking glass# Verify they received the announcement# Verify they're applying blackhole
# Most ISPs have looking glass tools# Check route presence and communityRisks and Considerations
Victim Becomes Unreachable
RTBH drops ALL traffic to victim:- Attack traffic: dropped ✓- Legitimate traffic: dropped ✓
Victim is completely offline during RTBHOnly use when alternative is worse (entire network down)Prefix Length Requirements
# Many ISPs only accept /24 or shorter# /32 announcements may be filtered
# Options:# 1. ISP accepts /32 with blackhole community (best)# 2. Announce covering /24 (affects more IPs)# 3. Use ISP-specific RTBH mechanismBGP Propagation Time
Trigger RTBH → BGP updates propagate → ISP applies blackhole
Typical: 30 seconds to few minutesDuring this time, attack still reaches youBest Practices
1. Document Procedure
# RTBH Trigger Procedure
## When to Use- Attack saturating upstream link- Collateral damage to other services- Manual filtering impossible
## Steps1. Confirm attack target IP2. Notify team/management3. Execute trigger script4. Verify with ISP5. Monitor network recovery6. Remove blackhole when attack stops
## Contacts- ISP NOC: +1-xxx-xxx-xxxx- Internal: @security-team2. Test Before You Need It
# Test with non-critical IP# Verify ISP accepts and applies blackhole# Measure propagation time# Test removal procedure3. Have Rollback Ready
# Keep removal procedure ready# Time-limit blackholes (auto-remove)# Monitor for attack cessation4. Combine with Other Measures
RTBH: Nuclear option, saves networkAlso use:- Rate limiting (smaller attacks)- Upstream scrubbing (sophisticated attacks)- CDN/DDoS protection (application layer)The Lesson
RTBH sacrifices the target to save the network.
When to use RTBH:
- Attack larger than your link can handle
- Collateral damage affecting entire network
- No other option available
When NOT to use RTBH:
- Attack is manageable with rate limiting
- Upstream scrubbing is available
- Target availability is critical
RTBH is the last resort. It works by making the victim unreachable to everyone — attackers and legitimate users alike. Use it when the alternative (entire network down) is worse.
Have it configured and tested before you need it. During an attack is not the time to learn RTBH.