ISPs have other options available that depend on routing changes, such as black hole filtering. Black hole filtering works by forwarding malicious traffic to an imaginary interface known as Null0 – similar to /dev/null on Unix machines. Since it’s not a valid interface, traffic routed to Null0 is essentially dropped. Moreover, this technique minimizes performance impact – a useful feature during the DDoS investigation so the rest of the network remains stable under the heavy load.
Here’s the simplest form of a black hole route:
- Quote :
- Router(config)# int null0
Router(config-if)# no ip unreachable
Router(config)# ip route 1.1.1.1 255.255.255.0 null0
this statement sends all traffic arriving on this router to the null0 interface — in effect, discarding it and sending it to the black hole.
You could also redistribute this route into your dynamic routing protocol and have it sent to all other routers on your network. Then, all routers would send traffic to your router, and your router would drop that traffic.
Using ISP back hole you could limit some bad traffic, imagine that the target IP for the DDOS is 1.2.3.4 and my AS is 1234. The transit provider is 1000 and he blackhole community is tagged with 666.
On a cisco router I may use the following to blackhole the traffic before the
traffic enter my network.
router bgp 1234
bgp router-id 1.2.3.4
redistribute static route-map static-to-bgp
..
..
!
route-map static-to-bgp permit 5
match tag 666
set community 1000:666 additive
!