fbpx
Wikipedia

Black hole (networking)

February 13, 2024

In networking, a black hole, also known as a block hole, refers to a place in the network where incoming or outgoing traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient.

When examining the topology of the network, the black holes themselves are invisible, and can only be detected by monitoring the lost traffic; hence the name as astronomical black holes cannot be directly observed.

Dead addresses edit

The most common form of black hole is simply an IP address that specifies a host machine that is not running or an address to which no host has been assigned.

Even though TCP/IP provides a means of communicating the delivery failure back to the sender via ICMP, traffic destined for such addresses is often just dropped.

Note that a dead address will be undetectable only to protocols that are both connectionless and unreliable (e.g., UDP). Connection-oriented or reliable protocols (TCP, RUDP) will either fail to connect to a dead address or will fail to receive expected acknowledgements.

For IPv6, the black hole prefix is 100::/64.[1]

For IPv4, no black hole address is explicitly defined, however the reserved IP addresses can help achieve a similar effect. For example, 198.51.100.0/24 is reserved for use in documentation and examples[2]; while the RFC advises that the addresses in this range are not routed, this is not a requirement.

Firewalls and "stealth" ports edit

Most firewalls (and routers for household use) can be configured to silently discard packets addressed to forbidden hosts or ports, resulting in small or large "black holes" in the network.

Personal firewalls that do not respond to ICMP echo requests ("ping") have been designated by some vendors[3] as being in "stealth mode".

Despite this, in most networks the IP addresses of hosts with firewalls configured in this way are easily distinguished from invalid or otherwise unreachable IP addresses: On encountering the latter, a router will generally respond with an ICMP network rsp. host unreachable error. Network address translation (NAT), as used in home and office routers, is generally a more effective way of obscuring the layout of an internal network.[citation needed]

Black hole filtering edit

A null route or black hole route is a network route (routing table entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering. The rest of this article deals with null routing in the Internet Protocol (IP).

Black hole filtering refers specifically to dropping packets at the routing level, usually using a routing protocol to implement the filtering on several routers at once, often dynamically to respond quickly to distributed denial-of-service attacks.

Remote Triggered Black Hole Filtering (RTBH) is a technique that provides the ability to drop undesirable traffic before it enters a protected network.[4] The Internet Exchange (IX) provider usually acquires this technology to help its members or participants to filter such attack [5]

Null routes are typically configured with a special route flag; for example, the standard iproute2 command ip route allows to set route types unreachable, blackhole, prohibit which discard packets. Alternatively, a null route can be implemented by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.

Null routing has an advantage over classic firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone. Blackhole filtering can also be abused by malicious attackers on compromised routers to filter out traffic destined to a certain address.

Routing typically only works on the Internet Protocol layer and is very limited in packet classification. It is bound to be stateless due to the nature of IP routers. Typically, classification is limited to the destination IP address prefix, source IP address and incoming network interface.

DNS-based Blackhole List edit

Main article: Domain Name System-based Blackhole List

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a list of IP addresses published through the Internet Domain Name System (DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to spamming; most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. The term "Blackhole List" is sometimes interchanged with the term "blacklist" and "blocklist".

A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence,[6] which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of zombie computers or other machines being used to send spam, listing the addresses of ISPs who willingly host spammers, or listing addresses which have sent spam to a honeypot system.

Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial,[7][8] both in Internet advocacy and occasionally in lawsuits. Many email systems operators and users[9] consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship.[10][11][12][13] In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down altogether.[14]

PMTUD black holes edit

Main article: Path MTU discovery § Problems

Some firewalls incorrectly discard all ICMP packets, including the ones needed for Path MTU discovery to work correctly. This causes TCP connections from/to/through hosts with a lower MTU to hang.

Black hole e-mail addresses edit

A black hole[15] e-mail address is an e-mail address which is valid (messages sent to it will not generate errors), but all the received messages are automatically deleted, and never stored or seen by humans. These addresses are often used as return addresses for automated e-mails.

See also edit

References edit

  1. ^ N. Hilliard; D. Freedman (August 2012). A Discard Prefix for IPv6. Internet Engineering Task Force. doi:10.17487/RFC6666. ISSN 2070-1721. RFC 6666. Informational.
  2. ^ J. Arkko; M. Cotton; L. Vegoda (January 2010). IPv4 Address Blocks Reserved for Documentation. Internet Engineering Task Force. doi:10.17487/RFC5737. ISSN 2070-1721. RFC 5737. Informational. Updates RFC 1166.
  3. ^ Apple Inc., botXhacker" "About the Application Firewall"
  4. ^ "Blackhole" (PDF). cisco.com. Retrieved 25 June 2023.
  5. ^ "HKIX".
  6. ^ . Archived from the original on 21 March 2013. Retrieved 26 March 2013.
  7. ^ C. Lewis; M. Sergeant (January 2012). Overview of Best Email DNS-Based List (DNSBL) Operational Practices. Internet Research Task Force (IRTF). doi:10.17487/RFC6471. ISSN 2070-1721. RFC 6471. Informational.
  8. ^ . Archived from the original on 4 September 2017. Retrieved 26 March 2013.
  9. ^ "Revealing Botnet Membership Using DNSBL Counter-Intelligence" (PDF). Retrieved 26 March 2013.
  10. ^ "RBL Criticism". Retrieved 26 March 2013.
  11. ^ "Electronic Frontier Foundation, EFFector, Vol. 14, No. 31, Oct. 16, 2001". Retrieved 26 March 2013.
  12. ^ "Verio gags EFF founder over spam". The Register. Retrieved 26 March 2013.
  13. ^ . Archived from the original on 21 April 2003. Retrieved 26 March 2013.
  14. ^ "EMarketersAmerica.org sues anti-spam groups". Retrieved 26 March 2013.
  15. ^ Exim internet mailer specification document,the Redirect router

External links edit

  • Tools for detecting a blackhole attack in an ad hoc wireless network

February 13, 2024
black, hole, networking, networking, black, hole, also, known, block, hole, refers, place, network, where, incoming, outgoing, traffic, silently, discarded, dropped, without, informing, source, that, data, reach, intended, recipient, when, examining, topology,. In networking a black hole also known as a block hole refers to a place in the network where incoming or outgoing traffic is silently discarded or dropped without informing the source that the data did not reach its intended recipient When examining the topology of the network the black holes themselves are invisible and can only be detected by monitoring the lost traffic hence the name as astronomical black holes cannot be directly observed Contents 1 Dead addresses 2 Firewalls and stealth ports 3 Black hole filtering 4 DNS based Blackhole List 5 PMTUD black holes 6 Black hole e mail addresses 7 See also 8 References 9 External linksDead addresses editThe most common form of black hole is simply an IP address that specifies a host machine that is not running or an address to which no host has been assigned Even though TCP IP provides a means of communicating the delivery failure back to the sender via ICMP traffic destined for such addresses is often just dropped Note that a dead address will be undetectable only to protocols that are both connectionless and unreliable e g UDP Connection oriented or reliable protocols TCP RUDP will either fail to connect to a dead address or will fail to receive expected acknowledgements For IPv6 the black hole prefix is 100 64 1 For IPv4 no black hole address is explicitly defined however the reserved IP addresses can help achieve a similar effect For example 198 51 100 0 24 is reserved for use in documentation and examples 2 while the RFC advises that the addresses in this range are not routed this is not a requirement Firewalls and stealth ports editMost firewalls and routers for household use can be configured to silently discard packets addressed to forbidden hosts or ports resulting in small or large black holes in the network Personal firewalls that do not respond to ICMP echo requests ping have been designated by some vendors 3 as being in stealth mode Despite this in most networks the IP addresses of hosts with firewalls configured in this way are easily distinguished from invalid or otherwise unreachable IP addresses On encountering the latter a router will generally respond with an ICMP network rsp host unreachable error Network address translation NAT as used in home and office routers is generally a more effective way of obscuring the layout of an internal network citation needed Black hole filtering editA null route or black hole route is a network route routing table entry that goes nowhere Matching packets are dropped ignored rather than forwarded acting as a kind of very limited firewall The act of using null routes is often called blackhole filtering The rest of this article deals with null routing in the Internet Protocol IP Black hole filtering refers specifically to dropping packets at the routing level usually using a routing protocol to implement the filtering on several routers at once often dynamically to respond quickly to distributed denial of service attacks Remote Triggered Black Hole Filtering RTBH is a technique that provides the ability to drop undesirable traffic before it enters a protected network 4 The Internet Exchange IX provider usually acquires this technology to help its members or participants to filter such attack 5 Null routes are typically configured with a special route flag for example the standard iproute2 command ip route allows to set route types unreachable blackhole prohibit which discard packets Alternatively a null route can be implemented by forwarding packets to an illegal IP address such as 0 0 0 0 or the loopback address Null routing has an advantage over classic firewalls since it is available on every potential network router including all modern operating systems and adds virtually no performance impact Due to the nature of high bandwidth routers null routing can often sustain higher throughput than conventional firewalls For this reason null routes are often used on high performance core routers to mitigate large scale denial of service attacks before the packets reach a bottleneck thus avoiding collateral damage from DDoS attacks although the target of the attack will be inaccessible to anyone Blackhole filtering can also be abused by malicious attackers on compromised routers to filter out traffic destined to a certain address Routing typically only works on the Internet Protocol layer and is very limited in packet classification It is bound to be stateless due to the nature of IP routers Typically classification is limited to the destination IP address prefix source IP address and incoming network interface DNS based Blackhole List editMain article Domain Name System based Blackhole List A DNS based Blackhole List DNSBL or Real time Blackhole List RBL is a list of IP addresses published through the Internet Domain Name System DNS either as a zone file that can be used by DNS server software or as a live DNS zone that can be queried in real time DNSBLs are most often used to publish the addresses of computers or networks linked to spamming most mail server software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists The term Blackhole List is sometimes interchanged with the term blacklist and blocklist A DNSBL is a software mechanism rather than a specific list or policy There are dozens of DNSBLs in existence 6 which use a wide array of criteria for listing and delisting of addresses These may include listing the addresses of zombie computers or other machines being used to send spam listing the addresses of ISPs who willingly host spammers or listing addresses which have sent spam to a honeypot system Since the creation of the first DNSBL in 1997 the operation and policies of these lists have been frequently controversial 7 8 both in Internet advocacy and occasionally in lawsuits Many email systems operators and users 9 consider DNSBLs a valuable tool to share information about sources of spam but others including some prominent Internet activists have objected to them as a form of censorship 10 11 12 13 In addition a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down altogether 14 PMTUD black holes editMain article Path MTU discovery Problems Some firewalls incorrectly discard all ICMP packets including the ones needed for Path MTU discovery to work correctly This causes TCP connections from to through hosts with a lower MTU to hang Black hole e mail addresses editA black hole 15 e mail address is an e mail address which is valid messages sent to it will not generate errors but all the received messages are automatically deleted and never stored or seen by humans These addresses are often used as return addresses for automated e mails See also editBit bucket DDoS Internet background noise IP blocking Null device Packet drop attackReferences edit N Hilliard D Freedman August 2012 A Discard Prefix for IPv6 Internet Engineering Task Force doi 10 17487 RFC6666 ISSN 2070 1721 RFC 6666 Informational J Arkko M Cotton L Vegoda January 2010 IPv4 Address Blocks Reserved for Documentation Internet Engineering Task Force doi 10 17487 RFC5737 ISSN 2070 1721 RFC 5737 Informational Updates RFC 1166 Apple Inc botXhacker About the Application Firewall Blackhole PDF cisco com Retrieved 25 June 2023 HKIX DNS amp RHS blackhole lists Archived from the original on 21 March 2013 Retrieved 26 March 2013 C Lewis M Sergeant January 2012 Overview of Best Email DNS Based List DNSBL Operational Practices Internet Research Task Force IRTF doi 10 17487 RFC6471 ISSN 2070 1721 RFC 6471 Informational RBLMon com What are RBLs and How do they Work Archived from the original on 4 September 2017 Retrieved 26 March 2013 Revealing Botnet Membership Using DNSBL Counter Intelligence PDF Retrieved 26 March 2013 RBL Criticism Retrieved 26 March 2013 Electronic Frontier Foundation EFFector Vol 14 No 31 Oct 16 2001 Retrieved 26 March 2013 Verio gags EFF founder over spam The Register Retrieved 26 March 2013 Choosing Spam over Censorship Archived from the original on 21 April 2003 Retrieved 26 March 2013 EMarketersAmerica org sues anti spam groups Retrieved 26 March 2013 Exim internet mailer specification document the Redirect routerExternal links editRemotely triggered black hole filtering Cisco Systems University of Washington blackhole monitor lookup system Tools for detecting a blackhole attack in an ad hoc wireless network Remote Triggered Black Hole Filtering Retrieved from https en wikipedia org w index php title Black hole networking amp oldid 1193819329, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.