Now that you know it’s a blackhole (if you still know, check out our article on RTBH – Blackhole). Now it’s time to configure it and be able to protect yourself from DDoS attacks.

To summarize the Blackhole, it is a technique of sending a route to the “black hole” or simply making the router discard packets directed to that IP. With the blackhole you can also announce these attacked IPs to your suppliers/upstreams and thus stop the attacks.

Now that I know what, now comes the question how to blackhole my router? In today’s article we will show you how to configure Blackhole on Juniper Routers
To do the Blackhole manually we have some steps that are:

  1. Identify the attacked IP
  2. Create route to blackhole
  3. Advertise this blackhole route via BGP to your carriers/upstreams

You can automate all of this with Made4Flow, already closing a direct session and not having to do manual work.
If you want to know how to automate everything with Made4Flow, check out our next article.

Let’s go to the settings then

1 – Identify the attacked IP

You can do this through Netflow analysis, as in Made4Flow, through the graphs and identify through the Raw Data Report, which IP has the most traffic and possibly being the victim of the attack.

Within Made4Flow, access for example the Interface Graph by Application and then, clicking on the most used port, you can identify which IP is being attacked

Or through Made4Flow, simply by accessing the Anti-DDoS module -> Active Anomalies

The attacked IP was: (Example)

2) Create a route to Discard (Blackhole)

After identifying the attacked IP via Made4Flow it is now time to create the route in your Juniper Router to effectively play the IP to Blackhole or Discard

Let’s assume that the attacked IP is, let’s create the route as follows

Applied commands:

set routing-options static route discard
commit and-quit

After applying the route pointing to Discard that IP will STOP WORKING!

You can check the route using the show command:

If the route is showing as Discard, you are already sending it to Blackhole

3 – Announce the IP in blackhole via BGP to your operators/upstreams

After identifying and blackhole the route you need to advertise via BGP to your operators/upstreams.

Before configuration, it is always recommended to talk to your Operator/Upstream to find out which Blackhole BGP community is.

The BGP session with your carrier needs to be established.

For this we have a few steps:

  1. Configure your Carrier/Upstream Blackhole Community

To configure the blackhole community so that it can be used later, we need to run the following command:

set policy-options community cm_blackhole_operadora_XPTO members 666:666
commit and-quit

If it is necessary to add more communities, apply the same command changing the community name and number

Tip: Talk to your operator to find out which BGP blackhole community they use

  1. Configure the policy-statement to Accept Blackole

To configure the sending of Blackhole in the policy-statement, you must first identify the policy used in the BGP session with the Operator and then configure to accept the Blackhole Route within a term

In our example, where the IP is attacked, we will use the following command:

Edit the policy:

Create a new term already with the attacked IP:

Next step is to accept the route within this term

Next step is to add the previously created community

Next step is to change the order of the policy, so that the term containing the blackhole route is at the top as possible, we will use the insert command

We can validate with the show command that the configuration is correct:

All commands used:

configure exclusive
edit policy-options policy-statement OPERADORA-XPTO-OUT
set term IP-ATACADO from route-filter exact
set term IP-ATACADO then accept
set term IP-ATACADO then community set cm_blackhole_operadora_XPTO
insert term IP-ATACADO before term MEU-BLOCO
commit and-quit

You can validate if you are advertising the route using the command show route advertising-protocol bgp

Once this is done, the IP will remain in blackhole and announced to your operator, the attack will cease if it goes to this single IP.

The complete configuration looked like this:

routing-options {
static {
route discard;
route discard;
autonomous-system 65000;
protocols {
bgp {
neighbor {
description OPERADORA-XPTO;
peer-as 64700;
policy-options {
policy-statement OPERADORA-XPTO-OUT {
from {
route-filter exact;
then {
community set cm_blackhole_operadora_XPTO;
term MEU-BLOCO {
from {
route-filter exact;
then accept;
then reject;
community cm_blackhole_operadora_XPTO members 666:666; }

Automating with Made4Flow

With Made4Flow it is possible to automate the blackhole announcement process of attacked IPs.

For that we need:

  • Configure BGP session between Edge Router and Made4Flow

To configure the BGP session between the Router and Made4Flow, you need to create a Policy and then the BGP session

To configure policy, use the commands

Commands used:
edit policy-options policy-statement MADE4FLOW-IN
set then next-hop discard
set then accept
commit and-quit

In this case we are also already added Next-hop manually in the router.

Within Made4Flow, you can already advertise with the correct BGP and Next-hop community if you prefer.

Configure the BGP session with Made4Flow, in our case we are going to use an iBGP, with the following configurations in the Juniper Router

Commands used:

set policy-options policy-statement EXPLICITY-DENY then reject
edit protocols bgp group MADE4FLOW
set type internal
set import MADE4FLOW-IN
set peer-as 65000
set neighbor description “Made4Flow – Blackhole automatizado”
commit and-quit

Tip: remember to delete the blackhole routes manually, in our example: delete routing-options static route

  • Configure Made4Flow to send via Actions

Within the Anti-DDoS Module, you can access the menu: Actions and Responses and configure the response to send the Blackhole with the correct BGP community:

Configure the Router to Send to Carriers

To configure to send to the operators/upstreams you need to configure a BGP community to be used in the term of the Policy with the Operator.

For this we need to set up a community

Comando: set policy-options community cm_blackhole_Made4Flow members 666:666

The next step is to configure your operator/upstream Policy, as in sending the blackhole, but now matching the community in the Term, as in our configuration:


edit policy-options policy-statement OPERADORA-XPTO-OUT
set term BLACKHOLE-MADE4FLOW from community cm_blackhole_Made4Flow
set term BLACKHOLE-MADE4FLOW then accept
set term BLACKHOLE-MADE4FLOW then community set cm_blackhole_operadora_XPTO
insert term BLACKHOLE-MADE4FLOW before term MEU-BLOCO
commit and-quit

To check if you are sending the announcement to the operator use the commands:

Check if you receive from Made4Flow

Comando: show route receive-protocol bgp

And if you are sending to the operator:

Comando: show route advertising-protocol bgp

Having made these settings, the automation of Made4Flow is ready. Upon receiving an attack, Made4Flow can now send this route to Blackhole.

To make it easier, we have the video below, showing in practice how to configure the Juniper Router with Blackhole.

If you have any questions, do not hesitate to contact us via WhatsApp, Social Media or E-mail.

See you next time!