Now that you know what a BGP blackhole is (if you don’t already know, check out our article on RTBH – Blackhole). Now it’s time to configure it and be able to protect yourself from DDoS attacks.

To summarize the Blackhole, it is a technique of sending a route to the “black hole” or simply making the router discard packets directed to that IP. With the blackhole you can also announce these attacked IPs to your suppliers/upstreams and thus stop the attacks.

Now that I know what it is, now comes the question how to blackhole my router? In today’s article we are going to show you how to configure Blackhole on Huawei Routers.

To do the Blackhole manually we have some steps that are:

  1. Identify the attacked IP
  2. Create route to blackhole
  3. Advertise this blackhole route via BGP to your carriers/upstreams

You can automate all of this with Made4Flow, already closing a direct session and not having to do manual work.

If you want to know how to automate everything with Made4Flow, check out our next article.

Let’s go to the settings then

1 – Identify the attacked IP

You can do this through Netflow analysis, with Made4Flow, through the graphics and identify through the Raw Data Report, which IP has the most traffic and possibly being the victim of the attack.

Within Made4Flow, access, for example, the Interface Graphic by Application and then, clicking on the most used port, you can identify which IP is being attacked.

Or through Made4Flow, simply by accessing the Anti-DDoS module -> Active Anomalies

The attacked IP was: (Example)

2) Create a route to blackhole or Null0

After identifying the attacked IP via Made4Flow it is now time to create the route on your Huawei Router to effectively play the IP to Blackhole.

Let’s assume that the attacked IP is, let’s create the route as follows

Applied commands:

ip route-static 32 null 0

After applying the route pointing to Null0 this IP will STOP WORKING!

You can check the route using the display command:

If the route has interface Null0, you are already sending it to Blackhole.

3 – Announce the IP in blackhole via BGP to your operators/upstreams

After identifying and blackhole the route you need to advertise via BGP to your operators/upstreams.

Before configuration, it is always recommended to talk to your Operator/Upstream to find out which Blackhole BGP community is.

The BGP session with your operator needs to be established!

For this, we have a few steps:

  1. Create the Network within BGP

To create you must access BGP and create with the network command


bgp 65000
network 32

  1. Configure a prefix-list / ip-prefix with the attacked IP

To configure a route-policy in a simple way to send an IP, you must create an ip-prefix to use within the Route-policy

In our example, where the IP is attacked, we will use the following command:

Command: ip ip-prefix ATTACKED-ID permit 32

  1. Configure your Route-Policy to send the attacked IP advertisement

Before configuring the route-policy, you identify which node (sequence) it will be on. You must put it in a position that does not have a deny before it, as a suggestion I recommend putting it first in the route-policy.

To identify the correct name, look at your route-policy and evaluate the number, using the command:

Command: display current-configuration configuration route-policy OPERATORA-XPTO-OUT

In our case it will be the node with a number less than 1000 to be placed before other configurations. The following configuration was made:


route-policy OPERATOR-XPTO-OUT permit node 100
if-match ip-prefix IP-ATTACKED
apply community 666:666

The if-match commands make the Huawei router check the ip-prefix thus saying that only the IPs within the prefix list will be advertised via BGP. In the apply community command it says to apply the BGP community to the IPs that matched the ip-prefix.

Our XPTO carrier uses community BGP 666:666 to send traffic to Blackhole

Tip: Talk to your operator to find out which BGP blackhole community they use!

Once this is done, the IP will remain in blackhole and announced to your operator, the attack will cease if it goes to this single IP.

The complete configuration looked like this:

bgp 65000
ipv4-family unicast
undo synchronization
route-policy OPERATOR-XPTO-OUT permit node 100
if-match ip-prefix IP-ATTACKED
apply community 666:666
route-policy OPERATOR-XPTO-OUT permit node 1000
if-match ip-prefix MY-BLOCK
route-policy OPERATOR-XPTO-OUT deny node 50000
ip ip-prefix MY-BLOCK index 10 permit 22
ip ip-prefix ATTACKED-IP index 10 permit 32
ip route-static NULL0
ip route-static NULL0

Automating with Made4Flow

With Made4Flow it is possible to automate the blackhole announcement process of attacked IPs.

For that we need:

  • Configure BGP session between Edge Router and Made4Flow

To configure the BGP session between the Router and Made4Flow, you need to create a route-policy and then the BGP session

To configure the route-policy:

Command: route-policy MADE4FLOW-IN permit node 1000

apply ip-address next-hop

In this case it is necessary to add Next-hop manually on the router.

Within Made4Flow, you can already advertise with the correct BGP and Next-hop community if you prefer.

  • Configure Made4Flow to send via Actions

Within the Anti-DDoS Module, you can access the menu: Actions and Responses and configure the response to send the Blackhole with the correct BGP community:

  • Configure the Router to Send to Carriers

To configure to send to operators/upstreams you need to configure so that the BGP community is identified in the if-match of the outgoing Route-policy.

For this we need to configure an ip community-filter

The next step is to configure the Route-policy of your operator/upstream, as in sending the blackhole, but now matching the community in the if-match, as in our configuration:

To check if you are sending the announcement to the operator use the commands:

Check if you receive from Made4Flow

Command: display bgp routing-table peer received-routes

And if you are sending to the operator:

Command: display bgp routing-table peer advertised-route

Having made these settings, the automation of Made4Flow is ready. Upon receiving an attack, Made4Flow can now send this route to Blackhole.

To make it easier, we have the video below, showing in practice how to configure the Huawei Router with Blackhole.

If you have any questions, do not hesitate to contact us via WhatsApp, Social Media or E-mail.

See you next time!