Black hole (networking)
In
When examining the topology of the network, the black holes themselves are invisible, and can only be detected by monitoring the lost traffic; hence the name as astronomical black holes cannot be directly observed.
Dead addresses
The most common form of black hole is simply an IP address that specifies a host machine that is not running or an address to which no host has been assigned.
Even though TCP/IP provides a means of communicating the delivery failure back to the sender via ICMP, traffic destined for such addresses is often just dropped.
Note that a dead address will be undetectable only to protocols that are both connectionless and unreliable (e.g., UDP). Connection-oriented or reliable protocols (TCP, RUDP) will either fail to connect to a dead address or will fail to receive expected acknowledgements.
For IPv6, the black hole prefix is 100::/64.[1]
For
Firewalls and "stealth" ports
Most
Personal firewalls that do not respond to ICMP echo requests ("ping") have been designated by some vendors[3] as being in "stealth mode".
Despite this, in most networks the IP addresses of hosts with firewalls configured in this way are easily distinguished from invalid or otherwise unreachable IP addresses: On encountering the latter, a router will generally respond with an ICMP network rsp. host unreachable error. Network address translation (NAT), as used in home and office routers, is generally a more effective way of obscuring the layout of an internal network.[citation needed]
Black hole filtering
A null route or black hole route is a network route (routing table entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering. The rest of this article deals with null routing in the Internet Protocol (IP).
Black hole filtering refers specifically to dropping packets at the routing level, usually using a routing protocol to implement the filtering on several routers at once, often dynamically to respond quickly to distributed denial-of-service attacks.
Remote Triggered Black Hole Filtering (RTBH) is a technique that provides the ability to drop undesirable traffic before it enters a protected network.[4] The Internet Exchange (IX) provider usually acquires this technology to help its members or participants to filter such attack [5]
Null routes are typically configured with a special route flag; for example, the standard iproute2 command ip route
allows to set route types unreachable, blackhole, prohibit
which discard packets. Alternatively, a null route can be implemented by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.
Null routing has an advantage over classic firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone. Blackhole filtering can also be abused by malicious attackers on compromised routers to filter out traffic destined to a certain address.
Routing typically only works on the
DNS-based Blackhole List
A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a list of
A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence, system.
Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial,[7][8] both in Internet advocacy and occasionally in lawsuits. Many email systems operators and users[9] consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship.[10][11][12][13] In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down altogether.[14]
PMTUD black holes
Some firewalls incorrectly discard all ICMP packets, including the ones needed for
Black hole e-mail addresses
A black hole
See also
- Bit bucket
- DDoS
- Internet background noise
- IP blocking
- Null device
- Packet drop attack
References
- . Informational.
- .
- ^ Apple Inc., botXhacker" "About the Application Firewall"
- ^ "Blackhole" (PDF). cisco.com. Retrieved 25 June 2023.
- ^ "HKIX".
- ^ "DNS & RHS blackhole lists". Archived from the original on 21 March 2013. Retrieved 26 March 2013.
- . Informational.
- ^ "RBLMon.com: What are RBLs and How do they Work?". Archived from the original on 4 September 2017. Retrieved 26 March 2013.
- ^ "Revealing Botnet Membership Using DNSBL Counter-Intelligence" (PDF). Retrieved 26 March 2013.
- ^ "RBL Criticism". Retrieved 26 March 2013.
- ^ "Electronic Frontier Foundation, EFFector, Vol. 14, No. 31, Oct. 16, 2001". Retrieved 26 March 2013.
- ^ "Verio gags EFF founder over spam". The Register. Retrieved 26 March 2013.
- ^ "Choosing Spam over Censorship". Archived from the original on 21 April 2003. Retrieved 26 March 2013.
- ^ "EMarketersAmerica.org sues anti-spam groups". Retrieved 26 March 2013.
- ^ Exim internet mailer specification document,the Redirect router