Black hole routing/filtering is an action to lessen a DDoS attack. In this countermeasure technique, the traffic is routed into a 'black hole' and is lost.
If you remember the movie “Black Hole” developed in 1979, following the concept of things entering it but never coming out was a scary thing that all characters wanted to evade. Similarly, in the world of IP routing, blackhole routing holds negative insights, where no traffic should be directed into.
DDoS blackhole routing or blackholing is a counter agent to reduce DDoS attacks that direct unwanted network traffic in a place called a “blackhole” and is lost. But why the use of blackhole routing? Unwanted traffic that floods across network streams and machines from different transmission mediums, deliberately produced by the distributed denial-of-service attack.
The main intention of a DDoS attack is to deplete the availability of computational resources such as bandwidth, CPU, RAM, and others to a remote target so that the service is out of bounds for legitimate users. Users might experience excessive bandwidth usage, or overclocked CPUs are some of the typical symptoms associated with this attack. This creates a necessity to drop the DDoS traffic destined to the blackhole as an excellent counter measure to prevent this kind of attack. The blackhole internet routing is based on the source and destination IP addresses, where the most commonly used technique is using remote route filtering, utilizing the destination IP.
DDoS traffic should be diverted and dropped near the source of an attack. Blackhole routing involves the use of the source and destination IP addresses and, as aforementioned above, the most commonly used technique, using remote route filtering. For instance, a DDoS attack is initiated on a web server holding IP address 22.214.171.124.
When a customer requests the ISP to filter the currently running DDoS, it creates a static route to the destined target IP address 126.96.36.199/32, pointing to the null interface. The static route is distributed to IBGP sessions from the trigger machine to the PE router but with the updated hop IP address to 192.0.2.1. Consequently, all network traffic is directed to this IP address, thus dropped by the null route in PE routers. When the DDoS attack is completed, the static route 188.8.131.52 is removed from the triggered machine and withdrawn from the IBGP session.
Undoubtedly, you can direct all the unwanted traffic to the black hole to get rid of it through the blackhole where there is no point of return. Generally, what happened with YouTube’s downtime for hours was due to the ISP sending all the network traffic to the null route and then accidentally sharing the invalid network route to other ISPs through the IBGP (internet Broadway Gateway Protocol); all YouTube traffic ended in the dump worldwide.
Blackhole routing can help drop all the malicious traffic in case of an attack, for example, a DDoS or a worm attack where black hole routing improvises as the best solution to mitigate downtime. Moreover, in contrast with an ACL (Access Control List), you may use this alternate solution since routing works in a forwarding way of a Cisco router, you can use the black hole route sink the same traffic with the advantage to mitigate performance impact on the cisco router itself.
Why use blackhole routing as the opportunity cost to ACL is mainly because ACL requires higher processing power on cisco IOS order of operations, the ACL would serve the same ways as blackhole routing but would require more features to do so.
As aforementioned in the previous sections about what is Blackhole routing and its optimistic approach, however, can turn out to be quite the opposite solution. Admittedly, blackholes aren’t a wrong way to send unwanted traffic down the drain unless the intention is to eliminate contagious traffic. On the other hand, a slight mistake of sending traffic down the black hole, as was with the case of YouTube ISP, can cost your company plenty of losses and blurred image through a diverse list of potential customers, consequently leading to spoilt reputation.
Learn more about DDoS