Wednesday, December 2, 2015

DDoS Blackhole

DDoS Blackhole has been released on GitHub, The application detects Distributed Denial of Service (DDoS) flood attacks in real-time and can automatically install a null / blackhole route to drop the attack traffic and maintain Internet connectivity. See DDoS for additional background.

The screen capture above shows a simulated DNS amplification attack. The Top Targets chart is a real-time view of external traffic to on-site IP addresses. The red line indicates the threshold that has been set at 10,000 packets per second and it is clear that traffic to address exceeds the threshold. The Top Protocols chart below shows that the increase in traffic is predominantly DNS. The Controls chart shows that a control was added the instant the traffic crossed the threshold.
The Controls tab shows a table of the currently active controls. In this case, the controller is running in Manual mode and is listed with a pending status as it awaits manual confirmation (which is why the attack traffic persists in the Charts page). Clicking on the entry brings up a form that can be used to apply the control.
The chart above from the DDoS article shows an actual attack where the controller automatically dropped the attack traffic.
The basic settings are straightforward, allowing the threshold, duration, mode of operation and protected address ranges to be set.

Controls are added and removed by calling an external TCL/Expect script which logs into the site router and applies the following CLI command to drop traffic to the targeted address:
ip route target_ip/32 null0 name "DOS ATTACK"
The script can easily be modified or replaced to apply different controls or to work with different vendor CLIs.

Additional instructions are available under the Help tab. Instructions for downloading and installing the DDoS Blackhole application are available on

The software will work on any site with sFlow capable switches, even if the router itself doesn't support sFlow. Running the application in Manual mode is a completely safe way to become familiar with the software features and get an understanding of normal traffic levels. Download the software and give it a try.


  1. Even better if your ISP support RTBH via BGP Communities. Level 3 allows you to trigger it with the following community (or at least used to):

    3356:9999 - blackhole (discard) traffic

    1. Thanks for the information about Level 3. There is rudimentary BGP support built in to sFlow-RT, Active Route Manager, but BGP Communities aren't yet supported.

      In the mean time, you could probably replace the TCL/Expect script with a script that uses ExaBGP.

  2. hai Mr.Peter. can you explain specifically about where should command ip route apply, because i try it in sflow-rt dir or new terminal, both failed, last i try curl command curl http://localhost:8008/script/ddos.js/json?action=enable {"controls":{},"enabled":true}, still controls on ddos application show nothing. Thank you ..

    1. You need to configure the IP Address Groups and add additional group(s) containing the globally routable CIDRs for your servers. The address groups are used to identify local, non-local and non-routable address spaces. Traffic from external addresses to local globally routable addresses is monitored for DDoS attacks.

      Once you have the groups configured you should start to see traffic under the charts tab.

  3. hi,I can't see the traffic, can you explain specific how to configuration?

    1. You need to set the address groups, the following article gives a description Remotely Triggered Black Hole (RTBH) Routing

    2. It must use the BGP?
      I am using mininet to simulated network environment, and want to use the ddos blackhole to detect ddos attacks, but i don't use the BGP. What should i do?

    3. There are a number of additional examples on this blog, click on the DoS label to see the articles.

      If you are using Mininet then you might be interested in Mininet flow analytics and Mininet dashboard.

      You can write your application using the REST API or the internal JavaScript API, see Writing Applications