Black hole (networking)

Last updated

In networking, a black hole refers to a place in the network where incoming or outgoing traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient.

Contents

When examining the topology of the network, the black holes themselves are invisible, and can only be detected by monitoring the lost traffic; hence the name as astronomical black holes cannot be directly observed.

Dead addresses

The most common form of black hole is simply an IP address that specifies a host machine that is not running or an address to which no host has been assigned.

Even though TCP/IP provides a means of communicating the delivery failure back to the sender via ICMP, traffic destined for such addresses is often just dropped.

Note that a dead address will be undetectable only to protocols that are both connectionless and unreliable (e.g., UDP). Connection-oriented or reliable protocols (TCP, RUDP) will either fail to connect to a dead address or will fail to receive expected acknowledgements.

For IPv6, the black hole prefix is 100::/64. [1]

For IPv4, no black hole address is explicitly defined, however the reserved IP addresses can help achieve a similar effect. For example, 198.51.100.0/24 is reserved for use in documentation and examples [2] ; while the RFC advises that the addresses in this range are not routed, this is not a requirement.

Firewalls and "stealth" ports

Most firewalls (and routers for household use) can be configured to silently discard packets addressed to forbidden hosts or ports, resulting in small or large "black holes" in the network.

Personal firewalls that do not respond to ICMP echo requests ("ping") have been designated by some vendors [3] as being in "stealth mode".

Despite this, in most networks the IP addresses of hosts with firewalls configured in this way are easily distinguished from invalid or otherwise unreachable IP addresses: On encountering the latter, a router will generally respond with an ICMP network rsp. host unreachable error. Network address translation (NAT), as used in home and office routers, is generally a more effective way of obscuring the layout of an internal network.[ citation needed ]

Black hole filtering

A null route or black hole route is a network route (routing table entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering. The rest of this article deals with null routing in the Internet Protocol (IP).

Black hole filtering refers specifically to dropping packets at the routing level, usually using a routing protocol to implement the filtering on several routers at once, often dynamically to respond quickly to distributed denial-of-service attacks.

Remote Triggered Black Hole Filtering (RTBH) is a technique that provides the ability to drop undesirable traffic before it enters a protected network. [4] The Internet Exchange (IX) provider usually acquires this technology to help its members or participants to filter such attacks. [5]

Null routes are typically configured with a special route flag; for example, the standard iproute2 command ip route allows to set route types unreachable, blackhole, prohibit which discard packets. Alternatively, a null route can be implemented by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.

Null routing has an advantage over classic firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks although the target of the attack will be inaccessible to anyone. Blackhole filtering can also be abused by malicious attackers on compromised routers to filter out traffic destined to a certain address.

Routing typically only works on the Internet Protocol layer and is very limited in packet classification. It is bound to be stateless due to the nature of IP routers. Typically, classification is limited to the destination IP address prefix, source IP address and incoming network interface.

DNS-based Blackhole List

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a list of IP addresses published through the Internet Domain Name System (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. The term "Blackhole List" is sometimes interchanged with the term "blacklist" and "blocklist".

A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence, [6] which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computers or other machines being used to send spam, listing the addresses of ISPs who willingly host spammers, or listing addresses which have sent spam to a honeypot system.

Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial, [7] [8] both in Internet advocacy and occasionally in lawsuits. Many email systems operators and users [9] consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship. [10] [11] [12] [13] In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down altogether. [14]

PMTUD black holes

Some firewalls incorrectly discard all ICMP packets, including the ones needed for Path MTU discovery to work correctly. This causes TCP connections from/to/through hosts with a lower MTU to hang.

Black hole e-mail addresses

A black hole [15] e-mail address is an e-mail address which is valid (messages sent to it will not generate errors), but all the received messages are automatically deleted, and never stored or seen by humans. These addresses are often used as return addresses for automated e-mails.

See also

Related Research Articles

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client–server architecture.

The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communicating with another IP address. For example, an error is indicated when a requested service is not available or that a host or router could not be reached. ICMP differs from transport protocols such as TCP and UDP in that it is not typically used to exchange data between systems, nor is it regularly employed by end-user network applications.

<span class="mw-page-title-main">IPv4</span> Fourth version of the Internet Protocol

Internet Protocol version 4 (IPv4) is the first version of the Internet Protocol (IP) as a standalone specification. It is one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January 1983. It is still used to route most Internet traffic today, even with the ongoing deployment of Internet Protocol version 6 (IPv6), its successor.

In computer networking, the maximum transmission unit (MTU) is the size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction. The MTU relates to, but is not identical to the maximum frame size that can be transported on the data link layer, e.g., Ethernet frame.

ping (networking utility) Network utility used to test the reachability of a host

ping is a computer network administration software utility used to test the reachability of a host on an Internet Protocol (IP) network. It is available for virtually all operating systems that have networking capability, including most embedded network administration software.

<span class="mw-page-title-main">Network address translation</span> Technique for making connections between IP address spaces

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

A Domain Name System blocklist, Domain Name System-based blackhole list, Domain Name System blacklist (DNSBL) or real-time blackhole list (RBL) is a service for operation of mail servers to perform a check via a Domain Name System (DNS) query whether a sending host's IP address is blacklisted for email spam. Most mail server software can be configured to check such lists, typically rejecting or flagging messages from such sites.

A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded. A SOCKS server accepts incoming client connection on TCP port 1080, as defined in RFC 1928.

<span class="mw-page-title-main">Anycast</span> Network addressing and routing methodology

Anycast is a network addressing and routing methodology in which a single IP address is shared by devices in multiple locations. Routers direct packets addressed to this destination to the location nearest the sender, using their normal decision-making algorithms, typically the lowest number of BGP network hops. Anycast routing is widely used by content delivery networks such as web and name servers, to bring their content closer to end users.

A port scanner is an application designed to probe a server or host for open ports. Such an application may be used by administrators to verify security policies of their networks and by attackers to identify network services running on a host and exploit vulnerabilities.

In Internet networking, a private network is a computer network that uses a private address space of IP addresses. These addresses are commonly used for local area networks (LANs) in residential, office, and enterprise environments. Both the IPv4 and the IPv6 specifications define private IP address ranges.

In computer networking, the default route is a configuration of the Internet Protocol (IP) that establishes a forwarding rule for packets when no specific address of a next-hop host is available from the routing table or other routing mechanisms.

The Neighbor Discovery Protocol (NDP), or simply Neighbor Discovery (ND), is a protocol of the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the internet layer of the Internet model, and is responsible for gathering various information required for network communication, including the configuration of local connections and the domain name servers and gateways.

A UDP flood attack is a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet Protocol Version 4 (IPv4). However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session. As an extension to the standard path MTU discovery, a technique called Packetization Layer Path MTU Discovery works without support from ICMP.

An IPv6 transition mechanism is a technology that facilitates the transitioning of the Internet from the Internet Protocol version 4 (IPv4) infrastructure in use since 1983 to the successor addressing and routing system of Internet Protocol Version 6 (IPv6). As IPv4 and IPv6 networks are not directly interoperable, transition technologies are designed to permit hosts on either network type to communicate with any other host.

<span class="mw-page-title-main">IPv6 address</span> Label to identify a network interface of a computer or other network node

An Internet Protocol version 6 address is a numeric label that is used to identify and locate a network interface of a computer or a network node participating in a computer network using IPv6. IP addresses are included in the packet header to indicate the source and the destination of each packet. The IP address of the destination is used to make decisions about routing IP packets to other networks.

Port Control Protocol (PCP) is a computer networking protocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet, which is a requirement for many applications.

The BlackNurse attack is a form of denial of service attack based on ICMP flooding. The attack is special because a modest bandwidth of 20 Mbit/s can be effective for disrupting a victim's network.

References

  1. N. Hilliard; D. Freedman (August 2012). A Discard Prefix for IPv6. Internet Engineering Task Force. doi: 10.17487/RFC6666 . ISSN   2070-1721. RFC 6666.Informational.
  2. J. Arkko; M. Cotton; L. Vegoda (January 2010). IPv4 Address Blocks Reserved for Documentation. Internet Engineering Task Force. doi: 10.17487/RFC5737 . ISSN   2070-1721. RFC 5737.Informational. Updates RFC  1166.
  3. Apple Inc., botXhacker" "About the Application Firewall"
  4. "Blackhole" (PDF). cisco.com. Retrieved 25 June 2023.
  5. "HKIX".
  6. "DNS & RHS blackhole lists". Archived from the original on 21 March 2013. Retrieved 26 March 2013.{{cite web}}: CS1 maint: unfit URL (link)
  7. C. Lewis; M. Sergeant (January 2012). Overview of Best Email DNS-Based List (DNSBL) Operational Practices. Internet Research Task Force (IRTF). doi: 10.17487/RFC6471 . ISSN   2070-1721. RFC 6471.Informational.
  8. "RBLMon.com: What are RBLs and How do they Work?". Archived from the original on 4 September 2017. Retrieved 26 March 2013.
  9. "Revealing Botnet Membership Using DNSBL Counter-Intelligence" (PDF). Retrieved 26 March 2013.
  10. "RBL Criticism". 11 February 2008. Retrieved 26 March 2013.
  11. "Electronic Frontier Foundation, EFFector, Vol. 14, No. 31, Oct. 16, 2001". 12 January 2012. Retrieved 26 March 2013.
  12. "Verio gags EFF founder over spam". The Register . Retrieved 26 March 2013.
  13. "Choosing Spam over Censorship". Archived from the original on 21 April 2003. Retrieved 26 March 2013.
  14. "EMarketersAmerica.org sues anti-spam groups" . Retrieved 26 March 2013.
  15. Exim internet mailer specification document,the Redirect router