What RTBH Does
Remote Triggered Black Hole routing tells your upstream providers to drop all traffic destined for a specific IP at their edge. You announce a /32 route for the target IP with a blackhole community (typically 65535:666 or a provider-specific community). The upstream receives the announcement and installs a null route for that prefix.
RTBH is the fastest way to stop a volumetric attack from reaching your network. The traffic is dropped at the upstream edge before it ever hits your transit links. The trade-off: all traffic to that IP is dropped, including legitimate traffic. But when a 10 Gbps flood is saturating your 1 Gbps link, RTBH is sometimes the only option.
Why Automate It
Manual RTBH requires someone to log into a router, type the blackhole route, and commit. During a DDoS attack at 3 AM, this process takes 15-30 minutes: wake up, VPN in, identify the target IP, verify it is under attack, type the route, commit, verify. The damage happens in those 15 minutes.
Automated RTBH works like this: Flowtriq detects an attack, identifies the target IP, verifies the attack exceeds the RTBH threshold, and pushes a blackhole route announcement through ExaBGP within seconds. No human needed. The attack stops hitting your network in under 30 seconds from detection.
Configuration
Flowtriq auto-escalation settings
In the Flowtriq dashboard, configure auto-escalation rules:
Escalation Level: RTBH
Trigger: Attack exceeds 5 Gbps for 30+ seconds
AND on-server mitigation is insufficient
AND FlowSpec is unavailable or insufficient
BGP Adapter: ExaBGP
Community: 65535:666
Announce: /32 of target IP
Auto-withdraw: When attack traffic drops below threshold
ExaBGP configuration
# /etc/exabgp/exabgp.conf
process announce-routes {
run /usr/bin/python3 /etc/flowtriq/exabgp_handler.py;
encoder json;
}
neighbor 10.0.0.1 {
router-id 10.0.0.100;
local-address 10.0.0.100;
local-as 65001;
peer-as 65001;
family {
ipv4 unicast;
}
}
Flowtriq's ExaBGP handler sends announcements through the ExaBGP process API. When an attack is detected and RTBH is triggered:
# Flowtriq announces: announce route 203.0.113.50/32 next-hop self community [65535:666] # When attack ends, Flowtriq withdraws: withdraw route 203.0.113.50/32
Safety Mechanisms
Automated RTBH needs safeguards to prevent accidental blackholing:
- Minimum attack threshold: RTBH only triggers when the attack exceeds a configurable bandwidth threshold (e.g., 5 Gbps). Smaller attacks are handled by on-server rules or FlowSpec.
- Duration requirement: The attack must persist for at least N seconds before RTBH triggers. Brief spikes do not cause blackholing.
- Prefix safelist: Critical infrastructure IPs (your DNS servers, control plane, management IPs) are never blackholed regardless of attack volume.
- Auto-withdrawal: When the attack stops, the blackhole route is withdrawn automatically. No stale routes lingering for hours.
- RPKI validation: Flowtriq validates the target prefix against RPKI before announcing a blackhole route. This prevents blackholing prefixes you do not own.
- Audit logging: Every RTBH announcement and withdrawal is logged with timestamp, reason, and attack data for post-incident review.
RTBH in the Escalation Chain
RTBH should be the last resort in a multi-level escalation chain, not the first response:
Level 1: On-server iptables/nftables rules (handles most attacks) Level 2: BGP FlowSpec (surgical upstream filtering) Level 3: Cloud scrubbing (traffic diversion and cleaning) Level 4: RTBH (drop all traffic to target IP)
Each level only activates if the previous level is insufficient. Flowtriq monitors the effect of each mitigation level and escalates automatically when needed. See the auto-escalation guide for the full chain.
FAQ
Does my upstream need to support RTBH?
Yes. Most transit providers support RTBH via BGP communities, but the specific community value varies by provider. Check with your upstream for their blackhole community. Common ones: 65535:666 (RFC 7999), provider-specific communities.
Can I use RTBH with IPv6?
Yes. Flowtriq supports IPv6 RTBH announcements for /128 target prefixes. The same auto-escalation logic applies.
What about FlowSpec instead of RTBH?
FlowSpec is more precise (drops specific traffic, not all traffic). If your upstreams support FlowSpec, use it as Level 2 and keep RTBH as Level 4 fallback. See the FlowSpec vs RTBH comparison.
Automate your RTBH. Flowtriq detects attacks and triggers blackhole routes in seconds with built-in safety mechanisms. Start your free 14-day trial.