Corero: DDoS Attacks Won't Be Blocked by Black Holing/Null Routing

Distributed denial of service (DDoS) attacks have been around since the early 2000’s, and the technology solutions for mitigating such attacks have evolved dramatically over the past few years. Hackers are more sophisticated, and the attacks are increasing, so the old solutions— which never worked perfectly—are even less effective in today’s cyber threat landscape.

Therefore, it’s surprising to see occasional articles that still recommend outdated approaches, such as remote black holing (also called null routing) to stop unwanted traffic. Hosting service providers sometimes try to block bad traffic by injecting a null route with the IP address of the original DDoS victim into their routing infrastructure, to block all DDoS traffic to the victim.

The problem with this approach is that it cannot tell the difference between bad traffic and good traffic; so it not only blocks all DDoS traffic, but it also blocks all good traffic, so it actually supports the DDoS attack against the original victim. If the upstream ISP null routes all good traffic-and-DDoS traffic into the ‘black hole’ it effectively takes the victim offline. This method of defense is simply not acceptable. Furthermore, because most DDoS attacks are highly spoofed, trying to null route on the source IP addresses is nearly impossible.

Modern DDoS mitigation technology effectively detects and blocks DDoS attacks at a granular level, even the low-threshold, sub-saturating attacks that escape human detention. Why block all traffic, when you can simply block the bad traffic, in real time? You can deploy an automated DDoS protection appliance at the network perimeter, and have always on, automatic detection and blocking of DDoS attacks so they never enter your network.

You can read the original article, here.

Powered by WPeMatico