What Is BGP Blackholing? RTBH and DDoS Mitigation Explained
When a volumetric DDoS attack overwhelms a network, the attacked IP address can become a liability — every router in the path must process packets destined for it, even if those packets are ultimately dropped. BGP blackholing is a technique to signal the network to drop that traffic as close to its source as possible, protecting upstream infrastructure by sacrificing reachability to the attacked destination. It is one of the oldest and most widely deployed DDoS mitigations in production networks.
Remotely-Triggered Black Hole (RTBH)
A Remotely-Triggered Black Hole (RTBH) uses BGP to propagate a "discard this traffic" signal across a network or between networks. The name comes from the mechanism: a BGP community tag signals that the route's next-hop should be a Null0 (discard) interface rather than a real forwarding path. Packets matching the blackholed prefix are dropped at every router that has accepted the blackhole route, rather than being forwarded toward the destination.
The essential components are:
- A trigger router that injects the blackhole route into BGP
- A special next-hop (conventionally
192.0.2.1or similar) that all routers have statically mapped to Null0 via a floating static route - A BGP community that tells receiving routers to accept and apply the blackhole next-hop rather than treating it as an unreachable next-hop
When the trigger router announces 203.0.113.42/32 with the blackhole community and the special next-hop, all routers accepting that route install it in their FIB with a Null0 next-hop. Packets destined for 203.0.113.42 are dropped immediately at each ingress point rather than being forwarded further into the network.
The BGP Blackhole Community: RFC 7999 (65535:666)
For years, different networks used different community values to signal blackholes, creating interoperability problems when trying to push blackhole triggers upstream. The IETF standardized a well-known community in RFC 7999: the value 65535:666 (using the IANA-reserved ASN 65535) is the universally recognized blackhole community. Any BGP speaker that receives a route tagged with 65535:666 is expected to accept the route and discard matching traffic, subject to any local policy.
Prior to RFC 7999, the convention was operator-specific. Providers like Lumen (Level 3), NTT, and Telia each published their own community values for blackhole triggers. Those legacy communities continue to work, but RFC 7999's 65535:666 is now the standard for new deployments and IXP blackholing services.
| Operator / Context | Blackhole Community | Notes |
|---|---|---|
| IETF Standard (RFC 7999) | 65535:666 | Well-known, universally recognized |
| Lumen / Level 3 | 3356:9999 | Legacy, still in use |
| NTT (AS2914) | 2914:666 | Destination RTBH |
| DE-CIX (IXP) | 6695:666 | IXP blackholing service |
| AMS-IX (IXP) | 6777:666 | IXP blackholing service |
Destination vs. Source RTBH
Destination RTBH (the common form) blackholes traffic bound for a specific victim IP. The announcement is a host route (/32 for IPv4, /128 for IPv6) with the blackhole community. All traffic to that address is dropped network-wide. This stops the DDoS attack from consuming bandwidth and router resources, but it also takes the victim completely offline — the attacker has effectively accomplished their goal.
Source RTBH blackholes traffic from specific source IP addresses. The trigger router announces the attacker's source IPs with the blackhole community, causing ingress routers to drop packets from those sources. Source RTBH is only effective when combined with Unicast Reverse Path Forwarding (uRPF): routers check whether the source address of an incoming packet is reachable via the same interface the packet arrived on. If the packet claims to come from an address that is blackholed, uRPF drops it.
Source RTBH is more targeted — legitimate traffic to the victim IP is preserved — but it requires that the attack traffic uses non-spoofed source addresses (uncommon for amplification attacks) and that uRPF is enabled at ingress, which requires careful network design to avoid false positives on asymmetric paths.
IXP Blackholing Services
Internet Exchange Points have become an important venue for blackholing because of their network reach. When a network operator is under attack, signaling a blackhole to its upstream providers requires bilateral arrangements with each provider. IXP blackholing services allow a single announcement to reach every network present at the exchange.
Major IXPs operate a dedicated blackholing route server. Members that opt in can send routes tagged with the IXP's blackhole community to this server. The route server then propagates the blackhole to all other participating members. An operator under attack at DE-CIX, for example, can announce the attacked prefix with community 6695:666 and have hundreds of transit networks and peers simultaneously begin dropping that traffic at their edge.
MANRS (Mutually Agreed Norms for Routing Security) and the IETF's BCOP (Best Current Operational Practices) both encourage IXP blackholing participation as part of responsible network operation. The effectiveness depends on how many of the attack's source networks are present at the IXP — for large volumetric attacks originating from distributed botnets, IXP blackholing can absorb a significant fraction of attack traffic before it reaches the victim's upstream links.
FlowSpec: A Finer-Grained Alternative
BGP FlowSpec (RFC 5575, updated by RFC 8955) extends BGP to carry traffic filter rules rather than just route destinations. A FlowSpec rule can match on source prefix, destination prefix, source port, destination port, protocol, DSCP, packet length, and TCP flags — and apply actions including discard, rate-limit, redirect, or mark. This makes FlowSpec far more surgical than RTBH.
Instead of blackholing all traffic to an attacked IP, FlowSpec can drop only UDP traffic to port 53 from a spoofed source range, rate-limit SYN packets to the victim, or redirect attack traffic to a scrubbing center while allowing normal traffic through. The tradeoff is complexity: FlowSpec rules require hardware support in line cards, and the more granular matching requires more careful rule construction to avoid catching legitimate traffic.
For networks facing sophisticated attacks, RTBH and FlowSpec are complementary. RTBH provides immediate relief in the first seconds of an attack; FlowSpec allows progressively more targeted mitigation as the attack pattern becomes clear. The combination is standard practice at major DDoS mitigation providers.
The Collateral Damage Tradeoff
Destination RTBH completes the attacker's objective: the victim IP is offline. Network operators and their customers must weigh this explicitly. For a hosting provider with a customer under attack, blackholing the customer's IP protects every other customer on the same upstream links but takes the attacked customer offline. The provider must either accept collateral disruption to other customers (if they don't blackhole) or accept taking the attacked customer offline (if they do).
This tradeoff has led to the development of scrubbing centers as an alternative. Instead of blackholing, the attack traffic is redirected (via BGP or DNS) to a specialized scrubbing network that separates legitimate from attack traffic and forwards only clean traffic to the victim. Services like Cloudflare Magic Transit, Akamai Prolexic, and Lumen DDoS scrubbing provide this capability. RTBH remains valuable as an immediate response tool and as a fallback when scrubbing capacity is insufficient to absorb an attack.
The mechanics of DDoS attacks and BGP communities provide additional context for understanding how blackholing fits into the broader network security toolkit. For amplification attacks exploiting UDP services, IP spoofing prevention at the source network (BCP38) is the only truly effective long-term solution.
Explore It Live
You can observe the effects of blackholing by looking for prefixes that appear and disappear from the routing table during DDoS events:
- AS3356 — Lumen/Level 3, a major provider offering RTBH services to customers
- AS2914 — NTT, another transit provider with widely used blackhole community 2914:666
- AS13335 — Cloudflare; see the scale of anycast prefix announcements used for DDoS absorption
Enter any prefix in the lookup tool to see its current BGP state. A /32 host route for a single IP with a short AS path is a classic indicator of an active RTBH announcement.