What Is Blackholing (DDoS Blackhole Routing)?
Blackholing is a technique used to mitigate the impact of a DDoS (Distributed Denial of Service) attack.
In this technique, network traffic to the target IP address is redirected to a ‘blackhole’, essentially a virtual void that drops all incoming traffic without delivering it to the intended recipient. When a DDoS attack occurs, the administrator can quickly identify the target IP address and redirect all traffic to that address to a blackhole.
However, it is important to note that blackholing can also have unintended consequences, such as dropping legitimate traffic. Therefore, it should be used with caution and only as a last resort when other mitigation techniques are not effective.
How Does Blackholing DDoS Work?
Blackholing involves discarding incoming traffic that is targeted towards a specific IP address. There are several ways to implement blackholing, including BGP blackholes, blocklists for spam filtering, and discarding IP packets targeting specific addresses such as blocked sites.
BGP blackholing
In BGP blackholing, network administrators use Border Gateway Protocol (BGP) to redirect traffic, originally intended for a victim’s Autonomous System (AS), to a null route, effectively discarding it.
BGP peering is necessary to implement this technique because it allows network administrators to control the flow of traffic on their networks. By using BGP to advertise a null route for a specific IP address, administrators can ensure that all traffic destined for that address is dropped before it reaches the intended recipient.
Blocklists for spam filtering
Blocklists for spam filtering are another common strategy for blackholing. These lists contain IP addresses that are known to be sources of spam or other malicious traffic. When an email server receives an incoming message from an IP address on the blocklist, it can be automatically discarded or sent to a quarantine folder for further review.
In all of these scenarios, blackholing works by intercepting incoming traffic and rerouting it before it can reach its intended destination. This technique can be effective in mitigating the impact of DDoS attacks or blocking malicious traffic.
Routing Approaches for Blackholing
There are two main approaches to implementing blackhole routing: using a trigger router or a permanent static route.
Trigger route approach
In this approach, network administrators configure a router to detect when a DDoS attack or other malicious traffic is occurring. The router then sends a message to the other routers on the network to redirect traffic to a null route. This approach is useful in situations where the network administrator wants to trigger blackhole routing only when a specific event occurs, such as a sudden spike in traffic.
Permanent static route
In this approach, network administrators configure a permanent static route on the network that redirects traffic to a null route for a specific IP address. This approach is useful for situations where a specific IP address is frequently targeted by malicious traffic, and the network administrator wants to permanently redirect that traffic to a null route.
Blackholing Pros and Cons
There are several pros and cons to consider when filtering traffic with blackholing.
| Pros | Cons |
| One of the main advantages of blackhole routing is its ability to quickly mitigate DDoS attacks and other malicious traffic.
Another benefit of blackhole routing is improved network performance. By discarding traffic that is targeted towards specific IP addresses, network administrators can reduce network congestion and improve overall network performance. This can be particularly useful in situations where a large volume of traffic is directed towards a specific server or application. |
While blackhole routing can be an effective technique for mitigating the impact of DDoS attacks and other malicious traffic, there are also several limitations to consider.
One limitation of blackhole routing is that it can make the web server or application unavailable to legitimate users. By discarding all traffic directed towards a specific IP address, even legitimate traffic may be blocked, potentially resulting in downtime for the affected application or service. It is important to note that the blackhole address used for routing may not be visible to the traffic source. This might result in traffic continuing to be directed towards the intended target even after blackhole routing has been implemented. |
Blackholing vs. Sinkholing
Blackholing and sinkholing are both techniques used to mitigate DDoS attacks, but they work in different ways.
Blackholing involves redirecting traffic to a “black hole” or null route, which drops all traffic to the targeted IP address or range. This technique is used to prevent malicious traffic from reaching the targeted network or system during a DDoS attack.
Sinkholing, on the other hand, involves redirecting traffic to a controlled destination or IP address, which allows legitimate traffic to pass through while filtering out malicious traffic. The sinkhole IP address is typically a decoy IP address that is not in use by any legitimate service, so any traffic directed to it is likely to be malicious. Sinkholing is typically done at the DNS level, by redirecting traffic to a DNS server that can filter out malicious traffic and allow legitimate traffic to pass through.
Both blackholing and sinkholing are effective techniques for mitigating DDoS attacks, but they have different strengths and limitations. Blackholing is a simple and effective technique that can be implemented at various levels within a network, but it drops all traffic to the targeted IP address or range, including legitimate traffic. Sinkholing is a more advanced technique that can filter out malicious traffic while allowing legitimate traffic to pass through, but it requires more advanced network configurations and expertise to implement.
In summary, blackholing and sinkholing are both valuable tools for mitigating DDoS attacks, and the choice of technique depends on the specific needs and resources of the organization implementing the mitigation.
DDoS Protection with Imperva
Imperva provides a DDoS Protection solution that blocks attack traffic at the edge to ensure business continuity with guaranteed uptime and no performance impact. Secure your on premises or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or Google Public Cloud.
Beyond DDoS protection, Imperva provides comprehensive protection for applications, APIs, and microservices:
Web Application Firewall – Prevent attacks with world-class analysis of web traffic to your applications.
Runtime Application Self-Protection (RASP) – Real-time attack detection and prevention from your application runtime environment goes wherever your applications go. Stop external attacks and injections and reduce your vulnerability backlog.
API Security – Automated API protection ensures your API endpoints are protected as they are published, shielding your applications from exploitation.
Advanced Bot Protection – Prevent business logic attacks from all access points – websites, mobile apps and APIs. Gain seamless visibility and control over bot traffic to stop online fraud through account takeover or competitive price scraping.
Attack Analytics – Ensures complete visibility with machine learning and domain expertise across the application security stack to reveal patterns in the noise and detect application attacks, enabling you to isolate and prevent attack campaigns.
Client-Side Protection – Gain visibility and control over third-party JavaScript code to reduce the risk of supply chain fraud, prevent data breaches, and client-side attacks.
