Table of Contents 4 sections
What is Blackhole Routing?
Blackhole routing, also known as null routing or blackholing, is a network defence technique in which traffic destined for a specific IP address or address range is silently discarded by routing it to a non-existent destination (a "null" interface). The term "blackhole" refers to the fact that packets enter the route and are never seen again, much like matter entering a gravitational black hole. No error messages are sent back to the source, and the traffic simply disappears.
This technique is most commonly used as an emergency countermeasure during DDoS attacks. When a server is being overwhelmed by malicious traffic, network administrators or upstream ISPs can create a blackhole route for the targeted IP address, causing all traffic (both malicious and legitimate) to be dropped before it reaches the target infrastructure.
How Blackhole Routing Works
Blackhole routing is implemented by adding a static route to a router's routing table that directs traffic for a specific destination to a null interface (such as Null0 on Cisco devices or /dev/null conceptually). When the router receives a packet destined for the blackholed address, it matches the route and discards the packet without forwarding it or generating any ICMP error response.
In practice, blackhole routing during a DDoS attack often involves coordination between the target organisation and its upstream internet service provider. Using BGP (Border Gateway Protocol), the target can signal to its ISP that traffic for a specific IP should be blackholed. The ISP then drops the traffic at its network edge, preventing it from consuming bandwidth on the path to the target. This is known as remotely triggered blackhole (RTBH) routing.
Advantages and Limitations
The primary advantage of blackhole routing is its speed and simplicity. A blackhole route can be implemented within seconds, immediately relieving pressure on the targeted infrastructure. It requires no specialised DDoS mitigation hardware and can be deployed at any point in the network path, from the target's own router to the upstream ISP's edge routers.
The major limitation is that blackhole routing is indiscriminate. It drops all traffic to the targeted IP address, including legitimate user requests. This means the attacker effectively achieves their goal of making the service unavailable, even though the server itself is protected from the flood. For this reason, blackhole routing is often considered a last-resort measure when the attack volume exceeds the capacity of more selective mitigation techniques.
Selective Blackholing and Alternatives
To address the indiscriminate nature of traditional blackholing, more advanced techniques have been developed. Destination-based RTBH (D/RTBH) drops all traffic to a specific destination, while source-based RTBH (S/RTBH) can selectively drop traffic from specific source addresses or ranges, preserving legitimate access. Flowspec (BGP Flow Specification) extends this further by allowing filtering based on protocol, port, packet size, and other attributes.
Modern DDoS mitigation services from providers like Cloudflare, Akamai, and AWS Shield offer intelligent traffic scrubbing that separates malicious traffic from legitimate requests, providing a far more surgical alternative to blackhole routing. However, blackhole routing remains an important tool in the network defender's arsenal, particularly when attack volumes are too large for inline scrubbing or when upstream mitigation services are unavailable.
FAQ
Frequently Asked Questions
Blackhole routing is primarily used as an emergency DDoS mitigation technique. It silently drops all traffic to a targeted IP address by routing it to a null interface, preventing the flood from reaching the target server.
Blackhole routing is indiscriminate, dropping both malicious and legitimate traffic. This means the targeted service becomes unavailable to real users, effectively achieving the attacker's denial-of-service goal.
RTBH is a technique where a target organisation uses BGP to signal its upstream ISP to drop traffic destined for a specific IP at the ISP's network edge, preventing attack traffic from consuming bandwidth.
Tags
Related Definitions
What is a denial-of-service (DoS) attack?
A denial-of-service (DoS) attack is a cyberattack that aims to make a computer, server, or network resource unavailable to legitimate users by overwhelming it with a flood of malicious traffic or exploiting vulnerabilities.
What is a Ping of Death (PoD) attack?
A Ping of Death (PoD) attack is a denial-of-service attack in which an attacker sends a malformed or oversized ICMP ping packet that exceeds the maximum allowed IP packet size, causing the target system to crash or freeze.
What is a WAF (Web Application Firewall)?
A Web Application Firewall (WAF) is a security solution that monitors, filters, and blocks HTTP/HTTPS traffic between a web application and the internet to protect against application-layer attacks.
What is HTTP?
HTTP (Hypertext Transfer Protocol) is the application-layer protocol used for transmitting hypermedia documents on the World Wide Web, forming the foundation of data communication for websites and web applications.