AS286 sBH/erBH

AS286/KPN International was taken over by AS3257/GTT in December 2019. AS286 will be integrated into / migrated to 3257 and fade away. Therefore some of the information found on these pages might be outdated / obsolete.

The hereby described communities may be adjusted, altered and updated any time. Even our processes cover updates to documentation, there's no guarantee, that it's always up-to-date. In case of doubt, transit customers should contact our NOC and peers should contact peering@as286.net.

selective BlackHole "sBH" / extended regional BH "erBH" (transit customers only)

With KPN's standard blackhole community 286:66 (or IETF's 65535:666), all traffic towards the tagged prefix is blackholed / discarded everywhere (even on the PE the customer is connected to), which basically takes the host "offline".

KPN's sBH/erBH communities allow you to blackhole traffic towards a tagged prefix on just some part of KPN's network. As quite often attacks originate from a specific region or do enter KPN's network at only limited places, sBH/erBH communities might help you to keep a certain level of connectivity while still blocking (D)DOS attacks against a certain IP.

A simple example: A customer connected in The Netherlands is being (D)DOS and the (D)DOS traffic enters KPN's network in the US. With sBH/erBH communities you can "instruct" KPN's network to only blackhole traffic towards the target in the US, while European traffic is still forwarded.
Taking this a step further: if above attack enters KPN's network in just two of the US locations, you can even enable normal traffic forwarding for all the other KPN PoPs in the US.

sBH/erBH used initially a "reverse" logic: you instruct KPN's network to blackhole "around" your connection (everywhere except the PE you are connected, except the PoP, the city, the country or continent); to enable again traffic flow for PoPs, cities, countries or continents which fall under the "to-be-blackholed" locations, you can whitelist PoPs, cities, countries or continents.
sBH/erBH is supporting blackholing specific PoPs as well, which eases blackholing in cases, where just a few PoPs needs to be blachholed. Whitelisting however will always take precedence over blacklisting. As such you can't e.g. blackhole a around the PoP you are connected to, whitelist a country and blacklist again a PoP in that country at the same time.
sBH/erBH does never blackhole traffic on the PE you are connected to (otherwise whitelisting wouldn't make much sense). The standard 286:66 (65535:666) total blackhole does this.
286:66 (65535:666) wins over all sBH/erBH communities.
Be aware, that we do drop announcements with too many communities attached, so carefully consider your settings.
Traffic will be forwarded through countries which are blackholing the prefix. E.g. if you mark your prefix to be er-blackholed everywhere, but whitelist it for the US, you should still receive US traffic even if you are connected outside the US, e.g. NL.
sBH/erBH tagged announcements will NEVER be announced to external parties and eventually be not even distributed everywhere in AS286. Thus there should be always a less specific "normal" announcement.
(Updated 20161222: before sBH/erBH tagged prefixes had been only internally distributed to PEs supposed to blackhole; now it's being internally distributed as well to more (but not all) PEs and -depending on the used communities- with the discard action or the normal "forward" information).
It might take a while to identify the source or sources of traffic. Best approach is to start with er blackholing all. If traffic comes still in, another party connected to the same PE is sending / participating in this DOS and the only thing you can do without further help of our NOC is to use 286:66 (65535:666). However, if traffic goes down, start enlarging the radius (e.g. allow site, city, country, continent traffic) to be forwarded again. Starting with whitelisting continents might give you a faster result ...
We can assist you with identifying the PoPs/PEs, where traffic targeted to you is entering our network ... (we are planning to make this information directly available to you on our KPNCare portal in 2016 or 2026 ...).
This feature is only available to "in-band" signaling (on your normal transit session). Sessions to the dedicated BlackHole device of KPN do only support a 286:66 (65535:666) style blackholing. If you are interested in getting this feature enabled there, please let us know.
There are some very, very rare exceptions, in which the blackholed location is slightly "larger" than expected ... but this effects estimated less than 0.0001% of all traffic.
You might also want to have a look on rtsdCoS as alternative, softer than blackholing, option: https://as286.net/AS286-rtsdCoS.html

You must at least tag your prefix with one of the following triggers. If not, your announcement will be just treated like every other announcements.

(Just to document 286:6666, which will show up on sBH/erBH announced routes: 286:6666 is "all except PE"; 286:666[1-4] are just aliases to 286:6666 + WL whatever is needed.)

Attach one or more of the following communities to whitelist (WL) PEs in PoPs, cities countries and continents, which would blackhole traffic based on your chosen trigger or to just explicitly list PoPs you want to blackhole (BL).
Again: whitelisting takes precendence over blackholing!

286:6660	blackhole everywhere except: on the PE your are connected to
286:6661	blackhole everywhere except: PE connected and all other PEs on/in this site/PoP
286:6662	blackhole everywhere except: PE connected and all other PEs in the city
286:6663	blackhole everywhere except: PE connected and all other PEs in this country
286:6664	blackhole everywhere except: PE connected and all other PEs on this continent
286:6665	blackhole only in the explicitly (286:62xx) listed PoPs - Whitelisting will still be considered (but hardly makes sense ;-)

WL continent	WL country	WL city	WL PoP	BL PoP
286:6990 Europe	286:6900 Austria	286:6700 Vienna	286:6000 wien-s1	286:6200 wien-s1
	286:6901 Belgium	286:6701 Antwerpen	286:6001 ant-s1	286:6201 ant-s1
		286:6702 Brussels	286:6002 zvtm-s1	286:6202 zvtm-s1
		286:6702 Brussels	286:6003 zvtm-s4	286:6203 zvtm-s4
	286:6902 Switzerland	286:6703 Geneve	286:6004 gnve-s1	286:6204 gnve-s1
	286:6902 Switzerland	286:6704 Zürich	286:6005 zrch-s1	286:6205 zrch-s1
	286:6904 Czech Republic	286:6706 Prague	286:6007 pra-s1	286:6207 pra-s1
	286:6905 Germany	286:6707 Berlin	286:6008 blnb-s1	286:6208 blnb-s1
		286:6707 Berlin	286:6009 blnb-s3	286:6209 blnb-s3
		286:6708 Barleben	286:6010 brlb-s1	286:6210 brlb-s1
		286:6709 Bremen	286:6011 brm-s1	286:6211 brm-s1
		286:6710 Düsseldorf	286:6012 dssd-s2	286:6212 dssd-s2
		286:6710 Düsseldorf	286:6013 dssd-s3	286:6213 dssd-s3
		286:6711 Frankfurt am Main	286:6014 ffm-s1	286:6214 ffm-s1
			286:6015 ffm-s2	286:6215 ffm-s2
			286:6016 ffm-s6	286:6216 ffm-s6
			286:6017 ffm-s7	286:6217 ffm-s7
		286:6712 Hamburg	286:6018 hmb-s2	286:6218 hmb-s2
		286:6712 Hamburg	286:6019 hmb-s3	286:6219 hmb-s3
		286:6713 Hannover	286:6020 hnvr-s1	286:6220 hnvr-s1
		286:6714 Kehl	286:6021 kehl-s2	286:6221 kehl-s2
		286:6715 Cologne	286:6022 koln-s1	286:6222 koln-s1
		286:6716 Karlsruhe	286:6023 ksrh-s1	286:6223 ksrh-s1
		286:6717 Leipzig	286:6024 lzg-s1	286:6224 lzg-s1
		286:6718 Munich	286:6025 mchn-s1	286:6225 mchn-s1
		286:6719 Nürnberg	286:6027 nbg-s1	286:6227 nbg-s1
		286:6720 Stuttgart	286:6028 stgt-s1	286:6228 stgt-s1
	286:6906 Denmark	286:6721 Copenhagen	286:6029 kbhv-s1	286:6229 kbhv-s1
	286:6907 Espania	286:6722 Barcelona	286:6030 bcln-s1	286:6230 bcln-s1
	286:6907 Espania	286:6723 Madrid	286:6031 mdd-s2	286:6231 mdd-s2
	286:6908 Finland	286:6724 Helsinki	286:6032 hski-s1	286:6232 hski-s1
	286:6909 France	286:6725 Nanterre	286:6033 nntr-s1	286:6233 nntr-s1
		286:6726 Paris	286:6034 prs-s4	286:6234 prs-s4
		286:6727 Saint Denis	286:6035 sdns-s1	286:6235 sdns-s1
	286:6911 Ireland	286:6728 Dublin	286:6036 dbln-s2	286:6236 dbln-s2
	286:6912 Italy	286:6729 Milan	286:6037 mla-s1	286:6237 mla-s1
	286:6913 Luxemburg	286:6730 Bettembourg	286:6038 bmbg-s1	286:6238 bmbg-s1
	286:6914 Netherlands	286:6731 Almere	286:6039 alr-s1	286:6239 alr-s1
		286:6732 Amsterdam	286:6040 asd2	286:6240 asd2
			286:6041 asd-s14	286:6241 asd-s14
			286:6042 asd-s15	286:6242 asd-s15
			286:6043 asd-s16	286:6243 asd-s16
			286:6044 asd-s17	286:6244 asd-s17
			286:6045 asd-s4	286:6245 asd-s4
			286:6046 asd-s5	286:6246 asd-s5
			286:6047 asd-s6	286:6247 asd-s6
			286:6048 asd-s7	286:6248 asd-s7
			286:6049 asd-s8	286:6249 asd-s8
		286:6733 Aalsmeer	286:6050 asmr-s1	286:6250 asmr-s1
		286:6734 Bura	286:6051 bura	286:6251 bura
		286:6734 Bura	286:6052 bura2	286:6252 bura2
		286:6735 Haarlem	286:6053 hlm-s1	286:6253 hlm-s1
		286:6736 Oude Meer	286:6054 oudmr-s1	286:6254 oudmr-s1
		286:6737 Rotterdam	286:6055 rt2	286:6255 rt2
	286:6915 Norway	286:6738 Oslo	286:6056 oslo-s1	286:6256 oslo-s1
	286:6916 Poland	286:6739 Warsaw	286:6057 wsw-s1	286:6257 wsw-s1
	286:6919 Sweden	286:6740 Stockholm	286:6058 sthm-s1	286:6258 sthm-s1
	286:6919 Sweden	286:6740 Stockholm	286:6059 sthm-s2	286:6259 sthm-s2
	286:6921 Slovakia	286:6741 Bratislava	286:6060 brlv-s1	286:6260 brlv-s1
	286:6923 United Kingdom	286:6744 London	286:6063 ldn-s1	286:6263 ldn-s1
			286:6064 ldn-s10	286:6264 ldn-s10
			286:6065 ldn-s2	286:6265 ldn-s2
			286:6066 ldn-s3	286:6266 ldn-s3
		286:6745 Manchester	286:6067 mchr-s1	286:6267 mchr-s1
286:6746 Runcorn		286:6068 rncn-s1	286:6268 rncn-s1
286:6991 North America	286:6924 United States	286:6747 Ashburn	286:6069 ahbn-s1	286:6269 ahbn-s1
		286:6748 Chicago	286:6070 chg-s1	286:6270 chg-s1
		286:6749 Dallas	286:6071 dlls-s1	286:6271 dlls-s1
		286:6750 Los Angeles	286:6072 lags-s1	286:6272 lags-s1
		286:6751 Miami	286:6073 miaf-s1	286:6273 miaf-s1
		286:6752 New York	286:6074 nyk-s1	286:6274 nyk-s1
		286:6752 New York	286:6075 nyk-s2	286:6275 nyk-s2
		286:6753 San Jose	286:6076 sjca-s1	286:6276 sjca-s1
286:6993 Asia	286:6903 China	286:6705 Hong Kong	286:6006 honk-s2	286:6206 honk-s2
	286:6922 Turkey	286:6742 Ankara	286:6061 ankr-s1	286:6261 ankr-s1
		286:6754 Gebze	286:6077 gbze-s1	286:6277 gbze-s1
		286:6743 Istanbul	286:6062 itb-s3	286:6262 itb-s3