What is a null-route? How does NFO use them?
Posted: Tue Sep 02, 2014 3:31 pm
When an IP address is "null-routed", all traffic is locally blocked to that IP address, and the instruction to block all traffic is sent to upstream providers so that they do the same (whenever possible) through "Remotely Triggered Black Hole" (RTBH) advertisements. This prevents traffic to that IP address from touching NFO's network, and it prevents it from touching networks of our providers (and/or causes it to be dropped at their network edge).
Null-routes are very big deal and we take them seriously. They are only used here as an emergency stopgap measure during a flood-type Distributed Denial of Service attack (DDoS) that causes NFO's links to an upstream to be saturated, causes one or more of an upstream's links to its upstream providers (or its own internal ones) to be saturated, or causes NFO's router to be overloaded. In such events, the attack leads to packets being dropped for all customers at the same location, and the null-route is the only way to immediately stop the collateral damage. We have a system here that detects the packet loss and automatically implements null-routes, allowing them to occur quickly and limit the damage as much as possible.
Events that require null-routes are relatively rare. For most attacks, NFO's links to upstreams are large enough that we can absorb the attack traffic and filter it for our customers, avoiding the need for such a drastic event. When an emergency null-route is required, it is put in place for a limited time.
Every automatic null-route is fully investigated by NFO after it has been put in place to confirm that it was truly necessary and to determine what we can do to help the customer avoid them in the future. Steps that we frequently take include:
Null-routes are very big deal and we take them seriously. They are only used here as an emergency stopgap measure during a flood-type Distributed Denial of Service attack (DDoS) that causes NFO's links to an upstream to be saturated, causes one or more of an upstream's links to its upstream providers (or its own internal ones) to be saturated, or causes NFO's router to be overloaded. In such events, the attack leads to packets being dropped for all customers at the same location, and the null-route is the only way to immediately stop the collateral damage. We have a system here that detects the packet loss and automatically implements null-routes, allowing them to occur quickly and limit the damage as much as possible.
Events that require null-routes are relatively rare. For most attacks, NFO's links to upstreams are large enough that we can absorb the attack traffic and filter it for our customers, avoiding the need for such a drastic event. When an emergency null-route is required, it is put in place for a limited time.
Every automatic null-route is fully investigated by NFO after it has been put in place to confirm that it was truly necessary and to determine what we can do to help the customer avoid them in the future. Steps that we frequently take include:
- Contacting our upstreams to determine if one of its links were saturated. If so, we may change the way that our prefixes are being advertised to distribute the traffic differently across their providers. We will also encourage upstreams (such as INAP) to upgrade their infrastructures.
- Determining whether an upstream ACL (filter) would be helpful. If an upstream was not having problems -- that is, if only NFO's connections was saturated -- and it is a simple attack that can be targeted with a basic ACL, it may be possible for an upstream to apply a filter to block the traffic before it reaches our network. In this case, we will ask for this and then remove the null-route once it has been applied.
- Contacting compromised hosts and reflectors. On behalf of our customers, we contact those who are involved with the attacks so that they can clean up their networks and systems.
- Notifying law enforcement contacts.
- Blocking botnet IP addresses at our router. For attacks that cause our router CPU capacity to be exhausted, blocking botnet IP addresses locally may help with further attacks.
- Infrastructure upgrades. We are always evaluating router hardware upgrades and connection upgrades on our end. However, we are limited in what we can do because the bottleneck is frequently with INAP and its upstreams, meaning that INAP has to upgrade before we can.