BGP Blackholing

graphic image

Border Gateway Protocol (BGP) Blackholing enables Public Peering members to instruct BIX.BG to block traffic to a specified prefix (IP address or network), signaling via BGP4 announcement through already established sessions with Route Servers (RS).

BGP Blackholing is used in large DDoS attacks that overload the networks of the members and interfere with their normal functioning.

Dropping the packets (to Blackoholed host/network) inside the BIX.BG network relieves the member's network and allows the normal functioning of the unattacked and unblocked network resources.

graphic image


Blocking is implemented at the packet forwarding layer, as a result of which BGP Blackholing functions regardless of whether members use Route Servers or establish private BGP sessions.

The block is outbound to the port or ports of the member that made the corresponding BGP Blackholing announcement. Therefore, there is no risk that an incorrect announcement by one member will lead to blocking of traffic to another member, regardless of whether according to RIR/RPKI this announcement is valid.

The blocking only affects Public Peering and does not affect P2P Private VLAN and other services.

There is no specific set limit on the number of BGP Blackholing announcements that Route Servers will accept. In terms of numbers, they are treated like other announcements. It is not recommended to have a large number of such announcements because the max-prefix limit set in Route Servers may be reached, which will cause BGP sessions to drop.

Received Blackholing announcements are not re-announced to other members, resulting in the following benefits:

  • The operation of BGP Blackholing does not depend on other members accepting announcements smaller than /24 (the usual practice is not to accept them for IPv4).
  • BGP Blackholing announcements do not increase the usual number of prefixes received by members, which could potentially cause them to reach their max-prefix limits and drop their BGP sessions completely.


To block traffic to a prefix, you must mark it with BGP Community 65535:666, and the prefix length restrictions are:
- IPv4: /25 and greater (up to /32);
- IPv6: /49 and greater (up to /128).
An announcement to only one Route Server is sufficient, as announcements that do not meet the above conditions will be ignored.