Wednesday, December 2, 2015

DDoS Blackhole

DDoS Blackhole has been released on GitHub, The application detects Distributed Denial of Service (DDoS) flood attacks in real-time and can automatically install a null / blackhole route to drop the attack traffic and maintain Internet connectivity. See DDoS for additional background.

The screen capture above shows a simulated DNS amplification attack. The Top Targets chart is a real-time view of external traffic to on-site IP addresses. The red line indicates the threshold that has been set at 10,000 packets per second and it is clear that traffic to address exceeds the threshold. The Top Protocols chart below shows that the increase in traffic is predominantly DNS. The Controls chart shows that a control was added the instant the traffic crossed the threshold.
The Controls tab shows a table of the currently active controls. In this case, the controller is running in Manual mode and is listed with a pending status as it awaits manual confirmation (which is why the attack traffic persists in the Charts page). Clicking on the entry brings up a form that can be used to apply the control.
The chart above from the DDoS article shows an actual attack where the controller automatically dropped the attack traffic.
The basic settings are straightforward, allowing the threshold, duration, mode of operation and protected address ranges to be set.

Controls are added and removed by calling an external TCL/Expect script which logs into the site router and applies the following CLI command to drop traffic to the targeted address:
ip route target_ip/32 null0 name "DOS ATTACK"
The script can easily be modified or replaced to apply different controls or to work with different vendor CLIs.

Additional instructions are available under the Help tab. Instructions for downloading and installing the DDoS Blackhole application are available on

The software will work on any site with sFlow capable switches, even if the router itself doesn't support sFlow. Running the application in Manual mode is a completely safe way to become familiar with the software features and get an understanding of normal traffic levels. Download the software and give it a try.


  1. Even better if your ISP support RTBH via BGP Communities. Level 3 allows you to trigger it with the following community (or at least used to):

    3356:9999 - blackhole (discard) traffic

    1. Thanks for the information about Level 3. There is rudimentary BGP support built in to sFlow-RT, Active Route Manager, but BGP Communities aren't yet supported.

      In the mean time, you could probably replace the TCL/Expect script with a script that uses ExaBGP.