Dec 24 2008
Remotely Triggered Black Hole (RTBH) destination and source based introduction
RTBH is a method of creating black holes in your network, preferably at your network edge to drop any unwanted incoming traffic usually some kind of attack traffic.
There are two types of black holes you can configure in RTBH, one is source based and the other is destination based.
The black holes are created by simply forwarding the unwanted traffic towards a null0 interface. Null0 is a pseudo interface i.e. a logical interface that is always up and can never forward or receive traffic.
RTBH itself is not a feature in IOS which you turn off|on, rather it is a security model which is configured through the use of the other IOS features such as iBGP, uRPF etc.
RTBH can prevent the following types of attacks:-
- DOS and DDOS attacks
- Blacklist filtering
Destination based RTBH allows you to filter traffic based on the destination. This methods does not prevent a DOS or DDOS on an end user, but it can remove a lot of unwanted traffic from your network by dropping it at the network edge.
Source based RTBH allows you to filter traffic based on the source. This method can prevent a DOS attack on a particular end user by black holing the source of the attack. This methods works well but if a DOS attack is coming from a user who is changing the source addresses of the attack randomly then black holing many sources NOT only doesn’t scale well but may actually black hole the real owners of that address space.
Both methods of RTBH have their merits and can most definitely add value to your network. But like most things you just need to understand where to position it and the associated Do’s and Dont’s.
CCIE SP Written | RickMur.com
Jan 07, 2009 @ 21:55:26
[...] by the way D (Spoofing attack) and when I read trough it now I realize this is important, because RTBH (Remotely Triggered Blackhole Filtering, a way to blackhole a specific source (in conjunction with [...]