The entire YouTube network recently went down, across the globe, for about two hours -- thanks to a mistake made by an ISP in Pakistan. That mistake involved a black hole route accidentally distributed around the world.
While you may not have a network as large or as critical as YouTube to manage, unexpected network downtime or lost network traffic is never a good thing. That's why you should understand what a black hole route is, how it can help you -- and how it could hurt you.
What happened with YouTube?
If you haven't already heard what happened with the YouTube incident, it's a very interesting story from an IP routing and troubleshooting perspective. Because plenty of articles are available that discuss the incident, I won't go into detail. But if you need a quick review, check out these resources:
- News.com: How Pakistan knocked YouTube offline (and how to make sure it never happens again)
- Network World: YouTube outage underscores big Internet problem
- Associated Press: Pakistan Causes Worldwide YouTube Outage
What is a black hole route?
In the 1979 movie The Black Hole, what went into the black hole didn't come out. It was a scary thing that all the characters wanted to avoid. In the world of IP routing, a black hole is also a term with a negative connotation -- trust me, no one wants traffic going there either.
In its simplest form, a black hole exists on a network when a router directs network traffic to a destination that just "throws away" the traffic. The classic interface used on a Cisco router to do this is the null0 interface.
In mathematics, null means to have zero numbers in a set. In computers and networking, however, null doesn't mean zero; it means no value or nothing.
A Cisco IOS router also has an interface called null0. When traffic goes to that interface, the router just discards it. Thus, the null interface on the Cisco router is the "black hole."
How can a black hole route help you?
Obviously, you can direct traffic that you want to get rid of to a black hole. In fact, this is what happened with the Pakistani ISP and YouTube's data. While there are many ways to discard traffic, I suspect what happened was that the IPS sent all YouTube traffic to null0 and then accidentally shared the route with other ISPs throughout the Internet using Border Gateway Protocol (BGP); all YouTube traffic ended up discarded, all around the world.
Black hole routes can help you by dropping malicious traffic if you're under attack, such as in the case of a DDoS attack or a worm attack. While you may be able to do this just as well with an access control list (ACL) since routing works in the forwarding path of the Cisco router, you can use the black hole route to drop the same traffic while incurring less of a performance impact on the router. (Because the ACL processing is higher in the Cisco IOS order of operations, the ACL would serve the same purpose but take more router resources to do it.)
Take advantage of a black hole route with the Cisco IOS
We typically configure black hole routes in conjunction with BGP; BGP is the routing protocol of the Internet, and most of the malicious traffic is on the Internet. However, anyone can configure a black hole route with just a single statement.
Here's the simplest form of a black hole route:
Router(config)# ip route 220.127.116.11 255.255.255.0 null0
This statement sends all traffic arriving on this router to the null0 interface -- in effect, discarding it and sending it to the black hole. Let's look at an example of using this in a simple network.
Let's say your Cisco IOS router connects you to the Internet, and your network users are using an online P2P file-sharing service that you don't want them to use. Rather than creating an ACL, using content filtering, or an application-based firewall, you could simply drop all traffic to that domain by looking up the IP addresses used and entering a route to null0.
You could also redistribute this route into your dynamic routing protocol and have it sent to all other routers on your network. Then, all routers would send traffic to your router, and your router would drop that traffic.
Keep in mind that if you're using this approach, you don't want to alert malicious users that you're blocking their traffic. You could configure the following on the null0 interface:
Router(config)# int null0
Router(config-if)# no ip unreachables
For more information on using black hole routes, check out these Cisco PDF resources:
- Black-Hole Filtering Minimizes Impact of Server Attacks
- Remotely Triggered Black Hole Filtering-Destination Based and Source Based
How can a black hole route hurt you?
Of course, black holes as bad if you're on the other end of this discussion and you're the one sending the traffic. Of course, if you're sending malicious traffic, your network deserves to go to a black hole. On the other hand, if it's a mistake, as was the case with YouTube, having traffic sent to a black hole could cost you and your company significantly.
With BGP, there's no foolproof way to stop an accident or malicious attack from taking down the traffic to an Internet destination. However, more BGP security may eventually come in the form of Secure BGP.
In the meantime, it's important to understand what black hole routes are, how they work, how they can help you, and how they can hurt you. Whatever you do, you don't want to fall into a black hole!
Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!