Black Hole Routing does not equate to DDoS protection

As ISPs, Hosting Providers and Online Enterprises around the world continue suffering the effects of DDoS attacks, often the discussions centre around the best way to defend networks and their customers. Traditional techniques of defense include SYN-cookies, SYN-proxy, redirects, challenges, and of course the black hole routing technique to name a few. Most of these techniques have been around since the early 2000’s when DDoS attacks first surfaced.

Black hole routing, (also called null routing) involves creating an IP-traffic route that virtually goes nowhere. The packets destined for the null route end up in the bit bucket. Null routing is essentially available on every commercial router today and there is little performance impact to silently drop all traffic to a specific destination.
Using null routing is often a tool of choice for organisations that have no other means of blocking an attack. But the victim of a DDoS attack may not be the only entity impacted. For example, other users that share the same infrastructure as the victim may also experience the effects of the attack and have their service degraded or be taken offline altogether as their infrastructure, servers, and applications are severely impacted by the onslaught of the phony traffic.

These unintended victims are collateral damage from the attack, which is sometimes referred to as second-hand DDoS. With no DDoS defenses in place, victims normally call their ISPs and ask for assistance with blocking the attack upstream. The ISP injects a null route with the IP address of the original victim into their routing infrastructure and begins blocking all DDoS traffic to the victim with the hopes of reducing the impact against the rest of their customers who are experiencing collateral impact as a result of the attack.

However, there is a problem with this approach; it actually perfects the DDoS attack against the original victim. Not only does this method block all DDoS traffic, but it also blocks all “good traffic” as well. This technique is calamitous for the Internet-connected business whose business thrives on internet availability. If the upstream ISP null routes all good traffic-and-DDoS traffic into the ‘black hole’, it effectively takes the victim offline. This method of defense is simply not acceptable for organisations that rely on an always-on internet. Additionally, since most DDoS attacks are highly spoofed, trying to null route on the source IP addresses is nearly impossible.

With regards to ISP’s commercial customers, ranging from very high-end hosting providers, gaming providers, web-based businesses, and smaller commercial customers, due to the shared network environment of a Tier 2 or Tier 3 ISP, the risk of collateral damage is a major issue when it comes to dealing with DDoS attacks. For commercial customers that require 100% uptime, black hole routing is an unacceptable solution.

As we have learned by dealing with the DDoS threat landscape, black hole routing is a rudimentary approach to DDoS mitigation, which in many cases does more harm than good.

Technology exists today that is completely capable of blocking all DDoS attacks in real-time. Purpose built DDoS technology is rapidly becoming the standard for real-time DDoS protection. When deployed at the ISPs peer points, this DDoS defense solution can effectively remove all DDoS attack traffic from ever entering the ISP network; blocking the attacks before they can wreak havoc the ISP infrastructure, or impact their customers. With proper protection, the days of dealing with DDoS attack outages are over. No more 4:00AM wakeup calls, no more complaints, no more downtime, and no more victims. If you’re an ISP, it’s time to admit you need to deploy these defenses for proper DDoS protection.