Configuring a Static Blackhole

A static blackhole indicates a manually configured blackhole policy that takes effect immediately after being created.

There are three static blackhole modes: Routing blackhole, Third-party, and LPU blackhole.

Create a static blackhole.

Select Blackhole mode and set the IP address and subnet mask for blackhole-based traffic diversion. For parameter description, see Table 1.

**Table 1** Blackhole mode
Parameter	Description
Routing blackhole	If Routing blackhole is selected, the ATIC delivers a route whose next hop is NULL 0 to the anti-DDoS device. The anti-DDoS device advertises this route to the upstream blackhole router through BGP. The upstream router executes the blackhole policy for this IP address. NOTE: The upstream router and the BGP peer between the upstream router and anti-DDoS device must be configured in advance.
Third-party	If Third-party is selected, the ATIC calls the API to ask the third party to execute the blackhole policy. The third party executes the blackhole policy for this IP address. NOTE: Before using this mode, Configure Blackhole API on the ATIC to specify the third party information. For detailed configuration methods, see Configure Blackhole API I.
LPU blackhole	If LPU blackhole is selected, the ATIC delivers a hardware blocking policy to the anti-DDoS device for the to-be-blackholed IP address. The LPU executes the blackhole policy for this IP address. NOTE: Only the AntiDDoS8000 that have the LPU240 or LPU120 installed support this mode.

Optional: Select Enable automatically.
NOTE:
If you select Enable automatically when creating a static blackhole, the blackhole policy takes effect immediately.

If Enable automatically is not selected when a static blackhole is created, you can enable this blackhole policy at any time to make it take effect.
Click OK.
NOTE:
After you enable a blackhole policy, all traffic destined for the specified IP address (Destination IP address) is discarded. Exercise caution when using this function.

Configure Blackhole API

Select a service provider and set parameters for authentication. For parameter description, see Table 2.

**Table 2** Configure Blackhole API
Parameter	Description
Third-Party	Supports DamDDoS.
Enable blackhole API	Determines whether to enable the blackhole API of this service provider. A blackhole-based traffic diversion policy can be created only after the service provider's blackhole API is enabled.
Default plugging policy	Only DamDDoS supports this parameter. Select a plugging policy. Once an attack occurs, enable the corresponding policy. Plug the entire network. Plug other carriers in China. Plug carriers outside China. Plug other carriers (only China Telecom users can access the network).
URL	Indicates the URL of the service provider's blackhole API.
Access key	Indicates the authentication access key of the service provider's blackhole API.
Encryption key	Indicates the authentication encryption key of the service provider's blackhole API. It is recommended that the encryption key consist of letters, digits (0-9), and special characters (such as ! # $ %). Change the encryption key periodically.
Scheduled unblocking time	Indicates the aging time of traffic diversion using the blackhole API. Timing starts after the blackhole API is enabled. When the aging time is reached, traffic diversion using the blackhole API is automatically canceled. The value ranges from 5 to 1400, in minutes.

Click Test to authenticate the information.
If the service provider passes the authentication, click OK.
NOTE:
When the blackhole API function is used, to ensure that the clock on the ATIC is consistent with that in the DamDDoS, you need to configure the clock of the ATIC server to time-synchronize with the Internet.