Fortifying Network Security: The Power of Blackhole Routing in Mitigating DoS Attacks

-

 

Objective of Blackhole in ISP :-

A black hole, in the context of Internet Service Providers (ISP), is a measure to deal with traffic that is flooding network causing congestion by discarding this type of traffic. With the Black Hole route it is a simple matter of redirecting traffic intended for an IP address (or range) to a non-existent path or "null" interface, in doing so the malicious traffic is stopped from getting to its target and killing off network completely. It helps in preserving network stability and Execution by isolating the attackers or risky data flows from authentic customers. However, this inevitably leads to a loss of legitimate and good traffic destined for the black holed IP addresses, so black holing is more of a tactical solution than sustainable one.

 

 

                  Fig : 1 Black hole in ISP to prevent DDos attack 

From a network security standpoint, black holes deployed in the network are located where traffic is forwarded and dropped. Once an attack is detected, the black holing function can drop all of traffic that involved in the attack at the edge of an Internet service provider (ISP) network according to destination IP address or source IP address. RTBH filtering allows the network edge, or anywhere else in the network for that matter, to interfere with the route tables such that specific traffic destined to it can simply be dropped before having been given a chance to enter the provider's network.

 

 RTBH filtering is the one of many security tools and can be leveraged together to increase the protection of an environment with positive results by:

 • Efficiently mitigating DDoS and worm attacks

 • Quarantining all traffic en route to the victim under attack

 • Implement blacklist filtering for RTBH A logical scenario where existing network devices that are already running internal Border Gateway Protocol (iBGP) at both access and aggregation points and having a different device isolate within the Network Operations

Center (NOC) as a trigger. BGP updates originating iBGP gets their source address sent to the edge, where a trigger-checking device constantly sends regular traffic to the original next-hop prefix and in case this fails (as the desired path is not available), deny-lists it in ng0 on the way out.

Destination-Based Remotely Triggered Black Hole Filtering

Mitigating the damaging effects of a denial-of-service (DoS) attack involves swiftly implementing measures to drop malicious traffic and protect network integrity. One effective strategy is destination-based IP black hole filtering with remote triggering, which allows for quick and efficient network-wide response. This approach entails adding a static route to a triggering device, which then sends a routing update via iBGP to edge routers configured for black hole filtering. The routing update sets the next hop IP address to a reconfigured static route pointing to a null interface, effectively discarding the offending traffic. This method not only isolates the attack but also minimizes collateral damage, such as bandwidth consumption and processor utilization, thereby maintaining service stability. Additionally, it allows for the documentation and tracking of black-holed destinations, ensuring that these addresses can be promptly restored once the threat subsides, maintaining network resilience and service continuity.
 

Let’s we understand it using one Scenario ………

Cogent ISP observed that one of IP user from 154.0.176.0/20 IP block does suspicious malicious activity hence, there is a threaten of DDos attack from outside. So, they want to block 154.0.176.0/20 IP block to access internet.

How ISP end it does??

*A:France-r1# configure service  vprn 12001 static-route-entry 154.0.176.0/20

*A: France-r1>config>service>vprn>static-route-entry# info

----------------------------------------------

                black-hole

                    no shutdown

                exit

----------------------------------------------

 

 

*A:ga-libr-ahq-r1# show  router  12001 static-route

Static Route Table (Service: 12001)  Family: IPv4

===============================================================================

Prefix                                        Tag         Met    Pref Type Act

   Next Hop                                    Interface

-------------------------------------------------------------------------------

154.0.176.0/20                                0           1      5    BH   Y

   n/a                                         n/a

========================================================

 

 

Comments

Post a Comment

Popular posts from this blog

AI in NOC: A New Era for Capacity Planning and Network Management

-
Image
   Introduction :- Predicting router interface traffic in modern network management is critical to achieve optimal network performance, resource allocation, and proactively eliminate bottlenecks. This case study suggests using machine learning on network datasets to develop a model that predicts an actual router’s interface traffic versus an ideal router’s traffic. By evaluating historical data of network traffic and utilizing well-established machine learning API-based algorithms like Neural Networks, Decision Trees, and Ensemble Methods, this analysis reviews the formation possibilities of a strong prediction model with grand accuracy. At the end of the study, this paper reviews multiple factors and features related to the traffic in the interface such as the hour in the day, the day’s sequence in the week, the network protocol, the application, and the structure of the network. Additionally, it explores the machine learning algorithms to compare the accuracy of the ML model...
Read more

Basics of Multiprotocol Label Switching

-
Image
  Objective := Fast switching of packet. Load-balancing traffic. Segregation of traffic is possible customer wise in MPLS. MPLS as a 2.5 layer protocol :       MPLS works on VPN type technology.     It works on layer 2.5 OSI model.   0       MPLS header added and inserted between layer 2 (Data link layer) and layer 3 (Network layer) It   is also known as “shim” Protocol. Label : 20 bits label value is used and it takes any values from 0 to 1048575. Experimental : 3 bits used for experimental and it generally used for Qos Service. QoS Policy :- Stack :  I t’s 1 bit long . Either 0 or 1. TTL :  It’s size 8 bit long. It generally defined as how packet reach from source to destination. its value is decreased by one at each hop to prevent packet to get stuck in  network. RTT (Round trip time)  = RTL (Time require to reach packet from source to destination) + RTA  (Time require to reach packe...
Read more

Traffic engineering: An attractive feature of MPLS

-
Image
  MPLS  technology: - n   MPLS is working on “Push—Swap—POP” methodology. n   PUSH : iLER--- (ingress Label Edge router) – add Label at the edge of router. it is done by PE router. n   SWAP : Label swapping – Label is swapped between P routers. LSP (Label Switched Path) is used to forward packet from Source to destination.   Labels are Swapped between these P routers and built between border PE routers. n   POP : eLER--- (Egress Label Edge router) – it is used to remove label.   But sometimes label removal process is done before the edge of last PE router, last P router which is called as PHP (Penultimate HOP Popping). M PLS Label  Mechanism: - -           Basically, two labels are used in  MPLS.   1.       Transport label 2.       Service label   1.       Transport Label:-   ...
Read more