Safeguarding Your Network: Understanding Blackhole Routing and BGP Communities

Objective of Blackholing in Networking

In networking, things happen quickly and uptime matters. But suppose your network is hit with a deluge of nasty traffic — millions of packets per second all aimed at one destination IP or service?

This is where blackhole routing saves the day. 

"Using the Black Hole route really is a straightforward way (to block traffic destined for an IP address or range) - you simply tell your network to send traffic to a non-existing path, or 'null' interface and in this way stop malicious traffic from reaching its target as well as taking down your network completely. It more assist in maintaining network stability and performance by sectioning the attackers or unsafe flows from legitimate customers. But this always results in valid traffic meant for the black holed IP addresses being also dropped => BH becomes operational more on tactical lines rather than strategic ones.

What is DDos and Types of DDos Attack 

DDoS Attack A Distributed Denial of Service (DDoS) Attack is a type of cyberattack where a massive number of compromised systems that are infected with malware or Trojans are used to flood one system with network traffic in order to overflow it and on some occasions shut it down. 

These may be in one of three forms

1.Volumetric Attack –An attack congest bandwidth with large packets that flood the target using either a UDP or ICMP flood.

2. Protocol Attack- An attack which exploit the layers 3-4 aspects vulnerable in SYN floods 

3.Application-layer attack—An attack where we see Web servers or APIs swamped with HTTP requests. 

The results are ugly – zero bandwidth, choked up networks, melted down routers and firewalls with 100% CPU utilization. And legitimate users unable to access services. 

Globally Filter and Black Hole Attacks To mitigate these attacks, globally filtering is an instantaneous remedy that sends malicious traffic to a null destination (i.e., dropping it) before it severely damages the network while buying enough-time to deploy more precise mitigation techniques.

Remote Triggered Blackhole (RTBH) 

From the viewpoint of network security, black holes in the network are positioned where traffic is forwarded and discarded. Upon detection of an attack, all (or a portion of) the traffic in which the attack was found may be dropped at the edge of service provider network by black holing function based on either destination IP address or source IP address. RTBH filtering makes it possible that the network edge claims to be able to interfere with the route tables in such a way that traffic which is intended for this will never be admitted into your providers' network.

RTBH filtering is a single component of security toolbox and could be combined with others in providing layered protection to an environment, with the following.

•Effective approaches for DDoS and worm attacks

•  Quarantine all traffic to the victim under attack.

• Use of blacklist filtering for RTBH A reasonable case use where the network’s devices that do already carry internal Border Gateway Protocol (iBGP) at both between access and aggregation points and a new device is isolated on the Network Operations.

Let’s we understand it using one Scenario ………

Cogent ISP observed that one of IP user from 154.0.176.0/24 IP block does suspicious malicious activity hence, there is a threaten of DDos attack from outside. So, they want to block 154.0.176.0/24 IP block to access internet.

How ISP end it does??

========================================

configuration at Cogent-ISP router end 

==========================================

router bgp 64570
 neighbor 203.0.113.4 remote-as 174
 neighbor 203.0.113.4 send-community both
 neighbor 203.0.113.4 description Upstream-Transit

ip prefix-list BLOCKED seq 5 permit 154.0.176.0/24

route-map SET-BLACKHOLE permit 10
 match ip address prefix-list BLOCKED
 set community 64570:1070 additive
network 154.0.176.0 mask 255.255.255.0 route-map SET-BLACKHOLE

Conclusion:

So, as a rule and in short, blackhole routing (or RTBH) can be used to protect your network by dropping attack traffic before it impacts its intended target. By tagging the suspicious prefix with a special BGP Community, then the ISP or upstream router can know that this Route should not be forwarded in the routing table, but it needs to discard via Null0.

In our case, Cogent ISP sensed malicious activities and announced the blackhole route towards its upstream provider by employing BGP community tagging. When the prefix with that community is received by an upstream router, all traffic for the destination this prefix announces has been recalculated to be discarded into a blackhole, thus preventing the attack victims' bandwidth or routers/firewalls from being overwhelmed.