Routing Blackhole

When the blackhole type is set to Routing blackhole and the ATIC performs a blackhole task, the ATIC sends a route with the next hop being NULL 0 to the anti-DDoS device. The anti-DDoS device advertises this route to the upstream blackhole router through BGP, and the upstream router executes the blackhole policy for this IP address.

Context

The routing blackhole policies can be divided into the dynamic blackhole policy and static blackhole policy based on the task generation mode.

The BGP peer relationship between the upstream router that is responsible for executing blackhole policies and the anti-DDoS device needs to be pre-configured in advance.

Procedure

Configure the notification mode of second-level blackhole event.
1. Choose Defense > Policy Settings > Global Policy.
2. Click .
  In the Attack Defense Configuration dialog box, select Sending Alert To ATIC for Notification Mode Of Second-Level Blackhole Event.
3. Click OK.
4. Click .

Dynamic Blackhole Policy
The blackhole policy is dynamically triggered based on real-time statistics about traffic destined to a specific IP address.
Static Blackhole Policy
A blackhole task for a specified IP address is manually created on the ATIC to block the traffic destined to the IP address.
Decapsulating a Blackhole Policy
The blackhole policy can be decapsulated automatically and manually.
Example: Blackhole Route (Blackhole Route of the Upstream Router)
Example: IPv6 Blackhole Route (Blackhole Route of the Upstream Router)

Parent topic: Configuring Blackhole