What is ddos-blackhole?

DDoS Blackhole⁠ is a real-time distributed denial of service (DDoS) detection and mitigation tool. The software receives a continuous stream of telemetry from standard sFlow agents⁠ embedded in network devices, detects distributed denial of service attacks (DDoS), and pushes BGP remote triggered blackhole messages to block the attack upstream.

How to use this image

docker run --net=host sflow/ddos-blackhole -Dddos_blackhole.router=<ip> -Dddos_blackhole.as=<ASN>

Access web user interface on port 8008. Configure routers/switches to send sFlow to UDP port 6343. Configure router BGP session to connect on port 1179 (host network privileges are need to establish the BGP connection).

docker run -p 6343:6343/udp -p 8008:8008 sflow/ddos-blackhole

Monitor without BGP and automated mitigation.

The software can be fully configured using -D startup parameters. A configuration file makes it easier to manage a large number of startup settings.

ddos_blackhole.router=<ip>
ddos_blackhole.as=<ASN>
ddos_blackhole.threshold=500000
ddos_blackhole.blockminutes=180
ddos_blackhole.actions=automatic
ddos_blackhole.group.exclude=<CIDR>,<CIDR>
ddos_blackhole.group.servers=<CIDR>
ddos_blackhole.syslog.host=<ip>

The above, ddos.conf file, provides an example.

docker run --net=host \
-v $PWD/ddos.conf:/sflow-rt/ddos.conf \
sflow/ddos-blackhole -Dsystem.propertyFiles=ddos.conf

Run image using configuration file. Application settings are documented in the help table in the web user interface.

See sflow/sflow-rt for additional settings available in the base image.

License

Please read and accept the License Agreement⁠ before downloading this software.