Blackholing stops DDOS attacks but consumes everything else too
- By John Breeden II
- Apr 22, 2013
What it is: The most recent distributed denial of service survey from Prolexic shows that denial of service attack durations, the total time an attack is active, increased this year to 34.4 hours, up from 32 hours last year. Packet rates and bandwidth used during attacks also is up. To weather the storm, service providers can employ blackholing techniques, which prevents all traffic from reaching its destination.
How It Works: Blackholing is a common defense against spam, in which an Internet service provider blocks packets from a domain or IP address, but the technique can be used against DDOS attacks. The problem with a DDOS attack is that not only is the website in question affected, but also others that are sharing the same servers or even routers. Thus, an attack on one agency can affect others if they are closely networked.
When under a massive attack, a black hole can be employed in a kind of "we had to burn the village to save it" approach. All website traffic, covering both legitimate users trying to access information and the fake attack requests, are sent into a black hole, or null route, Prolexic said. The requests aren't processed in any way. Anything trying to access the website is simply dropped. After the attack has stopped, an average of 34 hours later, the black hole is removed and the website is back online. The extra traffic from the attack doesn't affect any connected systems.
Bottom Line: Although effective in protecting other sites, the use of blackholing helps the hackers accomplish their task. The whole point of DDOS is to deny service. Taking a website offline and routing all traffic to a black hole does that. But as attacks increase in size, power and efficiency, more websites and service providers may have to employ it to protect the greater networks.
John Breeden II directs the GCN Lab.