In networking, a black hole refers to a place in the network where incoming or outgoing

traffic Traffic comprises pedestrians, vehicles, ridden or herded animals, trains, and other conveyances that use public ways (roads) for travel and transportation. Traffic laws govern and regulate traffic, while rules of the road include traffi ...

is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient. When examining the topology of the network, the black holes themselves are invisible, and can only be detected by monitoring the lost traffic; hence the name as astronomical Black holes cannot be directly observed.

Dead addresses

The most common form of black hole is simply an

IP address An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...

that specifies a host machine that is not running or an address to which no host has been assigned. Even though

TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...

provides a means of communicating the delivery failure back to the sender via ICMP, traffic destined for such addresses is often just dropped. Note that a dead address will be undetectable only to protocols that are both connectionless and unreliable (e.g., UDP). Connection-oriented or reliable protocols (TCP, RUDP) will either fail to connect to a dead address or will fail to receive expected acknowledgements. For

IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv ...

, the black hole prefix is described by . For IPv4, no black hole address is explicitly defined, however the reserved IP addresses can help achieve a similar effect. For example, is reserved for use in documentation and examples by ; while the RFC advises that the addresses in this range are not routed, this is not a requirement.

Firewalls and "stealth" ports

Most

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spr ...

s (and routers for household use) can be configured to silently discard

packet Packet may refer to: * A small container or pouch ** Packet (container), a small single use container ** Cigarette packet ** Sugar packet * Network packet, a formatted unit of data carried by a packet-mode computer network * Packet radio, a fo ...

s addressed to forbidden hosts or ports, resulting in small or large "black holes" in the network.

Personal firewall A personal firewall is an application which controls network traffic to and from a computer, permitting or denying communications based on a security policy. Typically it works as an application layer firewall. A personal firewall differs from ...

s that do not respond to ICMP echo requests ("ping") have been designated by some vendors as being in "stealth mode". Despite this, in most networks the IP addresses of hosts with firewalls configured in this way are easily distinguished from invalid or otherwise unreachable IP addresses: On encountering the latter, a router will generally respond with an ICMP network rsp. host unreachable error. Network address translation (NAT), as used in home and office routers, is generally a more effective way of obscuring the layout of an internal network.

Black hole filtering

A null route or black hole route is a network route (

routing table In computer networking, a routing table, or routing information base (RIB), is a data table stored in a router or a network host that lists the routes to particular network destinations, and in some cases, metrics (distances) associated with th ...

entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited

. The act of using null routes is often called blackhole filtering. The rest of this article deals with null routing in the

Internet Protocol The Internet Protocol (IP) is the network layer communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. Its routing function enables internetworking, and essentially establishes the Internet. ...

(IP). Black hole filtering refers specifically to dropping packets at the routing level, usually using a

routing protocol A routing protocol specifies how routers communicate with each other to distribute information that enables them to select routes between nodes on a computer network. Routers perform the traffic directing functions on the Internet; data packets ...

to implement the filtering on several routers at once, often dynamically to respond quickly to distributed

denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conn ...

s. Remote Triggered Black Hole Filtering (RTBH) is a technique that provides the ability to drop undesirable traffic before it enters a protected network. The Internet Exchange (IX) provider usually acquires this technology to help its members or participants to filter such attack Null routes are typically configured with a special route flag, but can also be implemented by forwarding packets to an illegal

such as , or the

loopback address In computer networking, localhost is a hostname that refers to the current device used to access it. It is used to access the network services that are running on the host via the loopback network interface. Using the loopback interface bypasses a ...

. Null routing has an advantage over classic firewalls since it is available on every potential

network router A router is a networking device that forwards data packets between computer networks. Routers perform the traffic directing functions between networks and on the global Internet. Data sent through a network, such as a web page or email, is i ...

(including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance

core router A core router is a router designed to operate in the Internet backbone, or core. To fulfill this role, a router must be able to support multiple telecommunications interfaces of the highest speed in use in the core Internet and must be able to f ...

s to mitigate large-scale

s before the packets reach a

bottleneck Bottleneck literally refers to the narrowed portion (neck) of a bottle near its opening, which limit the rate of outflow, and may describe any object of a similar shape. The literal neck of a bottle was originally used to play what is now known as ...

, thus avoiding

collateral damage Collateral damage is any death, injury, or other damage inflicted that is an incidental result of an activity. Originally coined by military operations, it is now also used in non-military contexts. Since the development of precision guided ...

from DDoS attacks — although the target of the attack will be inaccessible to anyone. Blackhole filtering can also be abused by malicious attackers on compromised routers to filter out traffic destined to a certain address. Routing typically only works on the

layer and is very limited in packet classification. It is bound to be stateless due to the nature of IP routers. Typically, classification is limited to the destination IP address prefix, source

and incoming network interface.

DNS-based Blackhole List

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a list of

es published through the Internet

Domain Name System The Domain Name System (DNS) is a hierarchical and distributed naming system for computers, services, and other resources in the Internet or other Internet Protocol (IP) networks. It associates various information with domain names assigned t ...

(DNS) either as a zone file that can be used by DNS server software, or as a live DNS zone that can be queried in real-time. DNSBLs are most often used to publish the addresses of computers or networks linked to

spamming Spamming is the use of messaging systems to send multiple unsolicited messages (spam) to large numbers of recipients for the purpose of commercial advertising, for the purpose of non-commercial proselytizing, for any prohibited purpose (especia ...

; most

mail server Within the Internet email system, a message transfer agent (MTA), or mail transfer agent, or mail relay is software that transfers electronic mail messages from one computer to another using SMTP. The terms mail server, mail exchanger, and MX host ...

software can be configured to reject or flag messages which have been sent from a site listed on one or more such lists. The term "Blackhole List" is sometimes interchanged with the term "blacklist" and "blocklist". A DNSBL is a software mechanism, rather than a specific list or policy. There are dozens of DNSBLs in existence, which use a wide array of criteria for listing and delisting of addresses. These may include listing the addresses of

zombie computer In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...

s or other machines being used to send spam, listing the addresses of

ISP An Internet service provider (ISP) is an organization that provides services for accessing, using, or participating in the Internet. ISPs can be organized in various forms, such as commercial, community-owned, non-profit, or otherwise private ...

s who willingly host spammers, or listing addresses which have sent spam to a honeypot system. Since the creation of the first DNSBL in 1997, the operation and policies of these lists have been frequently controversial, both in Internet advocacy and occasionally in lawsuits. Many email systems operators and users consider DNSBLs a valuable tool to share information about sources of spam, but others including some prominent Internet activists have objected to them as a form of censorship. In addition, a small number of DNSBL operators have been the target of lawsuits filed by spammers seeking to have the lists shut down altogether.

PMTUD black holes

Some firewalls incorrectly discard all ICMP packets, including the ones needed for

Path MTU discovery Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentat ...

to work correctly. This causes TCP connections from/to/through hosts with a lower MTU to hang.

Black hole e-mail addresses

A black holeExim internet mailer specification documen
the Redirect router
/ref> e-mail address is an e-mail address which is valid (messages sent to it will not generate errors), but all the received messages are automatically deleted, and never stored or seen by humans. These addresses are often used as return addresses for automated e-mails.

References

{{reflist

External links

Remotely triggered black hole filtering (Cisco Systems)

University of Washington blackhole monitor/lookup system

Tools for detecting a blackhole attack in an ad hoc wireless network

Remote Triggered Black Hole Filtering
Computer network security Packets (information technology) Routing Blacklisting