Back to Blog

BGP Blackholing Explained: Network-Edge Threat Mitigation

February 23, 2026 • Setec Astronomy Team
bgpnetworkingrtbhtechnical

One of ThreatChain's most powerful features is BGP blackhole routing — the ability to push threat blocks to the network edge so malicious traffic is dropped before it even reaches your servers. This post explains how it works.

What Is BGP Blackholing?

BGP (Border Gateway Protocol) is the protocol that routes traffic across the internet. BGP blackholing, formally known as RTBH (Remotely Triggered Black Hole) routing, is a technique where you announce a route for a malicious IP with a special community tag that tells upstream routers to drop all traffic to/from that IP.

It's the nuclear option in network security — and it works at line rate with zero CPU overhead on your servers.

How ThreatChain Implements It

Our BGP implementation runs on the seed node (setec-1) using BIRD 2 with AS64999:

                ThreatChain Blockchain
                        |
                        | severity: critical, action: blackhole
                        v
                BGP Injector Daemon
                        |
                        | writes /32 route to BIRD pipe
                        v
                BIRD 2 (AS64999)
                        |
                        | announces with community 64999:666
                        v
                WireGuard Tunnel (encrypted)
                        |
                        v
                Your Edge Router
                        |
                        | RTBH: null-route the IP
                        v
                Traffic dropped at network edge

The BGP Injector

The bgp_injector.py daemon polls the blockchain every 5 seconds, looking for threats with action: blackhole and severity: critical or high. For each qualifying threat, it writes a static route to a BIRD-monitored file:

route 203.0.113.45/32 blackhole;

BIRD detects the change, imports the route via its pipe protocol, and announces it to all configured BGP peers with the blackhole community (64999:666).

WireGuard Transport

BGP sessions run over WireGuard tunnels from our fd00:tc::/64 allocation. This means:

  • All BGP traffic is encrypted end-to-end
  • Sessions are authenticated by WireGuard's public key cryptography
  • No BGP session hijacking is possible over the encrypted tunnel

Route Lifecycle

When a threat expires (TTL) or is manually revoked on the blockchain, the injector removes the route from the BIRD file. BIRD withdraws the announcement, and your router removes the null route. Fully automated, fully reversible.

Why Not Just Use a Firewall?

Firewalls (nftables, iptables) work great at the host level. But they have limitations:

Firewall BGP Blackhole
Where traffic drops At the server At the network edge
CPU overhead Per-packet processing Zero (null route)
DDoS protection Limited by bandwidth Drops before your link
Scale Per-host rules One announcement blocks everywhere

ThreatChain uses both — nftables for granular per-host blocking and BGP RTBH for critical threats that need network-edge mitigation.

Getting BGP Peering

BGP peering is available on our Professional ($299/mo) and Enterprise ($999/mo) plans. Here's the process:

  1. Submit a peering request from your portal with your ASN
  2. We provision a WireGuard tunnel and assign a tunnel IP
  3. You configure your router to accept our BGP announcements
  4. Critical threats are automatically blackholed at your network edge

Check our Services page for details, or contact us for enterprise pricing.

Back to Blog