Blackhole routing is a DDoS mitigation strategy that eliminates all traffic from specific sources.
What is DDoS blackhole routing?
DDoS blackhole routing/filtering (sometimes called blackholing), is a countermeasure to mitigate a DDoS attack in which network traffic is routed into a “black hole” and is lost. When blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or black hole and dropped from the network. When using connectionless protocols, such as UDP, no notification of the dropped data will be returned to the source. With connection-oriented protocols like TCP, which require a handshake to connect with the target system, a notification will be returned if the data is dropped.
For organizations with no other means of blocking an attack, blackholing is a widely available option. This mitigation method may have serious consequences, potentially making it an undesirable option to mitigate a DDoS attack. Similar to the way antibiotics destroy both good and bad bacteria when implemented improperly, this type of DDoS mitigation will indiscriminately disrupt sources of traffic to the network or service. Sophisticated attacks will also use variable IP addresses and attack vectors, which can limit the effectiveness of this type of mitigation as a sole means of disrupting the attack.
A key consequence of using blackhole routing when good traffic is also affected is that the attacker has essentially accomplished their goal of disrupting traffic to the target network or service. Even though it can help a malicious actor accomplish their goal, blackhole routing can still be useful when the target of the attack is a small site that’s part of a larger network. In that case, blackholing the traffic directed at the targeted site could protect the larger network from the effects of the attack.
Case study: how a Pakistani ISP shut down YouTube with blackhole routing
In 2008, YouTube was down for hours one-day thanks to Pakistan Telecom’s use of blackhole routing. This happened after the Pakistani Ministry of Communication sent out orders to have YouTube blocked nationwide in response to a YouTube video that contained a Dutch cartoon depicting the prophet Muhammad. Pakistan’s government-owned telecommunication service responded to these orders with a blackhole routing solution, but their solution created unexpected side effects.
Pakistan Telecom created a black hole route and broadcast instructions claiming to be the legitimate destination for anyone trying to reach YouTube’s web addresses. That traffic was then sent to the black route and dropped. The problem is that Pakistan Telecom used BGP (BGP stands for Border Gateway Protocol; it manages how packets are routed across the Internet.)to share this route with ISPs worldwide. So Pakistan effectively broadcasts to Internet providers worldwide that they were the correct destination for YouTube traffic, sending all YouTube-bound traffic into a black hole. Fortunately, YouTube has a very sophisticated technical team, and they were able to identify and fix the problem within hours. Still, this example shows a serious risk of using blackhole routing.
