Black hole routing: Not a silver bullet for DDoS protection

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

Traditional techniques of defense include SYN-cookies, SYN-proxy, redirects, challenges, and of course the black hole routing technique to name a few. Most of these techniques have been around since the early 2000’s when DDoS attacks first began to surface.

For those that do not know much about black hole routing, (also called null routing) this technique involves creating an IP-traffic route that virtually goes nowhere. The packets destined for the null route end up in the bit bucket. Null routing is essentially available on every commercial router today and there is little performance impact to silently drop all traffic to a specific destination.

It’s no secret in the world of DDoS attacks, that using null routing is a tool of choice for organizations that have no other means of blocking an attack. For example, an attacker selects a victim and launches a DDoS attack against them. The victim may not be the only entity impacted. Other users that share the same infrastructure as the victim may also experience the effects of the attack and have their service degraded or be taken offline altogether as their infrastructure, servers, and applications are severely impacted by the onslaught of the phony traffic. These unintended victims are collateral damage from the attack, which is sometimes referred to as second-hand DDoS.

With no DDoS defenses in place, victims normally call their ISP and ask for assistance with blocking the attack upstream. The ISP injects a null route with the IP address of the original victim into their routing infrastructure and begins blocking all DDoS traffic to the victim with the hopes of reducing the impact against the rest of their customers who are experiencing collateral impact as a result of the attack.

Less than desirable approach
However there is a problem with this approach; it actually perfects the DDoS attack against the original victim! Not only does this method block all DDoS traffic, but it also blocks all “good traffic” as well. This technique is calamitous for the Internet connected business whose business thrives on Internet availability. If the upstream ISP null routes all good traffic-and-DDoS traffic into the “black hole’, it effectively takes the victim offline. This method of defense is simply not acceptable for organizations that rely on an always-on Internet. Additionally, since most DDoS attacks are highly spoofed, trying to null route on the source IP addresses is nearly impossible.

More collateral damage
Many ISP’s are utilizing black hole routing as their only means for DDoS defense. With this approach, for example, when an ISP with residential customers comes under attack they must null route into their infrastructure, for the destination (victim). Resulting in hundreds of their other customers being knocked offline.

With regards to the ISP’s commercial customers, they range from very high-end hosting providers, gaming providers, web-based businesses, and smaller commercial customers. These customers have also felt the effects of DDoS attack – some quite often. Due to the shared network environment of a Tier 2 or Tier 3 ISP, the risk of collateral damage is a major issue when it comes to dealing with DDoS attacks. For commercial customers that require 100% uptime, black hole routing is an unacceptable solution.

There is a better way
As we have learned by dealing with the DDoS threat landscape, black hole routing is a rudimentary approach to DDoS mitigation, which in many cases does more harm than good.

Technology exists today that is completely capable of blocking all DDoS attacks in real-time. Purpose built DDoS technology is rapidly becoming the standard for real-time DDoS protection. When deployed at the ISPs peer points, this DDoS defense solution can effectively remove all DDoS attack traffic from ever entering the ISP network; blocking the attacks before they can wreak havoc the ISP infrastructure, or impact their customers.

With proper protection, the days of dealing with DDoS attack outages are over. No more 4:00AM wake-up calls, no more complaints, no more downtime, and no more victims. If you’re an ISP it’s time to admit, you need to deploy these defenses for proper DDoS protection.