Entity Tracking
- Blackhole Routing: A network defense technique that redirects unwanted traffic to a "black hole" (null interface) where it is discarded.
- DDoS (Distributed Denial of Service): A malicious attack that overwhelms a server or network with traffic to exhaust its resources and bandwidth.
- RTBH (Remote Triggered Blackhole): A specialized routing method used to drop undesirable traffic before it enters a protected network.
- BGP (Border Gateway Protocol): The standard protocol used to manage how data packets are routed across different networks on the internet.
- Null Route: A routing table entry that matches packets and drops them rather than forwarding them to a destination.
- Sinkholing: A mitigation technique that redirects traffic to a controlled environment to filter out malicious packets while allowing legitimate ones.
- DNSBL (DNS-based Blackhole List): A real-time list of IP addresses, often used for spam filtering, published through the Domain Name System.
- UDP (User Datagram Protocol): A connectionless protocol that does not notify the sender if data is dropped during blackhole routing.
- TCP (Transmission Control Protocol): A connection-oriented protocol that requires a handshake and will return a notification if data is dropped.
Blackhole routing is a network security countermeasure that redirects incoming traffic to a "null route" (a virtual void) where it is permanently discarded. It is often called blackhole filtering or blackholing. Organizations use this as a "nuclear option" to stop massive traffic surges from crashing an entire network.
What is blackhole routing?
In a standard network setup, routers receive data and forward it to the next destination. During a blackhole event, an administrator identifies a target IP address under attack and updates the routing table to send all traffic aimed at that address to a non-existent destination, such as the null0 interface.
The behavior of the "dropped" traffic depends on the protocol: * Connectionless (UDP): The source receives no notification that the data was lost. * Connection-oriented (TCP): Because these require a handshake, a notification is typically returned to the sender if data is dropped.
Why blackhole routing matters
Blackhole routing is a high-stakes tool because it does not distinguish between "good" and "bad" traffic. If implemented without specific restrictions, it drops every packet intended for the target.
- Network Stability: It prevents a DDoS attack from saturating internet ports or exhausting the bandwidth of an entire organization.
- Cost Efficiency: High-performance core routers can often handle null routing at higher speeds and with less performance impact than traditional firewalls.
- Protecting Peers: By discarding traffic at the edge, it prevents an attack from causing collateral damage to other sites on the same larger ISP network.
- Spam Mitigation: DNS-based blackhole lists help mail servers automatically reject messages from [known malicious sources since the first list was created in 1997] (Wikipedia).
How blackhole routing works
Administrators use several methods to trigger a black hole:
- Static Routing: An administrator manually configures a router to drop traffic from a specific IP address.
- BGP Advertising: Using the Border Gateway Protocol, a network "advertises" a blackhole route to other routers in the network, telling them to drop traffic for a specific target.
- Remote Triggered Blackhole (RTBH): This moves the filtering further away from the organization’s network border to the ISP level, stopping the attack before it reaches the target’s infrastructure. [RTBH is formally defined in RFC 5635] (IETF).
- Flowspec BGP: A more granular version that allows administrators to target malicious traffic more narrowly, potentially sparing some legitimate traffic.
Types of blackhole routing
| Type | Function | Best For |
|---|---|---|
| Destination-based | Discards all packets headed to a specific target IP. | Protecting a network from a single-target DDoS. |
| Source-based | Discards all packets coming from a specific origin IP. | Blocking a known malicious actor or span source. |
| DNS-based (DNSBL) | Checks a list of IPs known for spamming and blocks them. | Email server protection and spam reduction. |
| Virtual Audio Driver | A software-based loopback (like the "BlackHole" macOS driver). | Routing audio between apps with zero latency. |
Best practices
- Secure the rest of the network: Use blackhole routing for a small site within a larger network to ensure the attack does not take down the entire infrastructure.
- Use as a last resort: Only implement wide-scale blackholing when other mitigation tools fail, as it effectively completes the attacker's goal of making the site unreachable.
- Enable uRPF for source filtering: If you need to filter by source IP rather than destination, you must enable Unicast Reverse Path Forwarding (uRPF) in loose or strict mode.
- Limit the timeframe: Treat blackhole routes as temporary measures. Keeping a permanent null route for an address makes that IP permanently unusable.
Common mistakes
- Mistake: Indiscriminate targeting. Routing all traffic to a black hole kills legitimate user traffic alongside the attack.
- Fix: Use Flowspec BGP for more granular filtering where possible.
- Mistake: Lack of visibility. Blackhole routing often provides no logging, meaning security teams cannot see the source of the attack or how much traffic is being dropped.
- Fix: Use monitoring tools to detect lost traffic, as black holes are otherwise invisible in network topology.
- Mistake: BGP Misconfiguration. Broadcasting a blackhole route too widely can have global consequences.
- Fix: Carefully control BGP "advertisements" to ensure you are not claiming to be the destination for unintended traffic.
Examples
The YouTube Blackout:
[In 2008, Pakistan Telecom attempted to block YouTube nation-wide] (Cloudflare) using blackhole routing. Because they accidentally broadcast this route via BGP to ISPs worldwide, they effectively told the entire internet that Pakistan was the destination for YouTube. This sent global YouTube traffic into a black hole for several hours.
IPv6 Discarding:
For network testing and documentation, [IPv6 has a specific reserved black hole prefix: 100::/64] (RFC 6666).
Blackhole Routing vs Sinkholing
| Feature | Blackhole Routing | Sinkholing |
|---|---|---|
| Primary Action | Drops all traffic immediately. | Redirects traffic to a controlled IP. |
| Goal | Stop link saturation. | Analyze or filter malicious traffic. |
| Legitimate Traffic | Usually discarded with the bad. | Can be filtered and allowed through. |
| Visibility | Low (traffic is simply gone). | High (traffic can be inspected). |
FAQ
Is blackhole routing a "good" security defense?
It is an effective way to protect network infrastructure from being overwhelmed, but it is not a "good" defense for the specific target. Because it blocks all traffic, the attacker successfully achieves their goal of taking your service offline.
How is a black hole detected if it's invisible?
Black holes don't show up on standard network topology maps. They are only detected by monitoring traffic loss or when a connection-oriented protocol (like TCP) fails to receive expected acknowledgments.
Can blackhole routing be used for anything other than DDoS?
Yes. It is used in spam filtering (DNSBL) to drop emails from known malicious servers. There is also a macOS virtual driver named BlackHole used to route audio between applications with zero latency.
What is a null interface?
A null interface, such as null0, is a virtual "discard" point in a router. Any packet sent to this interface is dropped immediately without using further processing power to find a "real" destination.
Why do some people call it "stealth mode"?
Some firewalls are configured to silently discard packets (blackholing) without sending an ICMP response. When a firewall doesn't respond to "pings," hardware vendors often label this as "stealth mode."
Related terms: * ICMP flood * SYN flood * Botnet * IP Spoofing * Unicast Reverse Path Forwarding (uRPF) * Autonomous System (AS)
