Network attacks, including Distributed Denial-of-Service (DDoS), continuously increase in terms of bandwidth along with damage (recent attacks exceed 1.7 Tbps) and have a devastating impact on the targeted companies/governments. Over the years, mitigation techniques, ranging from blackholing to ACL filtering at routers, and on to traffic scrubbing, have been added to our toolboxes. Even though these mitigation techniques provide some protection, they either yield severe collateral damage, e.g., dropping legitimate traffic, are cost-intensive, or do not scale well for Tbps level attacks. In this talk we present our Next Generation Blackholing system, developed and deployed at DE-CIX by combining available hardware filters with a novel route server-based signaling mechanism. It builds upon the scalability of blackholing while limiting collateral damage by increasing its granularity. We present the design fundamentals and the building blocks while highlighting implementation challenges and performance evaluation.
Christoph Dietzel is Head of the Products & Research department at DE-CIX, responsible for R&D, Product Management, global Network Design, and Project Management.