For this article, I’m reusing an earlier topology:

Example network

Assume that everything inside is a private range, e.g. 10.0.0.0/8, and the edge router performs NAT to the WAN link with a public address. Once everything is subnetted and a routing protocol is set up, the route table of the routers will most likely show a few internal routes (e.g. 10.0.1.0/24, 10.0.2.0/24,…) and a default route pointing towards the edge router, out to the WAN link.

A simple, effective design. But what about a packet destined for, let’s say, 192.168.1.1? It will not match on any interior routes and will be sent along the default route, out over the WAN link, and get dropped at the first ISP hop (well, it should be). Can that behavior be countered? Yes: add a static route on the edge router to a Null interface, which will silently discard packets. The packets disappear into a black hole, hence the name black hole routing.

Routes to 192.168.0.0/16 and 172.16.0.0/12 can easily be added on every router in the example, as these ranges aren’t present locally and shouldn’t be routable on the internet. And 10.0.0.0/8 can also be added everywhere, but only if no route filtering is performed. A packet for subnet 10.0.1.0/24 will be routed to the correct subnet if it exists, because it’s a more specific route in the route table than 10.0.0.0/8. A packet for a subnet that doesn’t exist, e.g. 10.5.1.0/24, will be dropped because it matches the 10.0.0.0/8 Null route, instead of the default route.

If route filtering is performed, things become a bit more complex. It’s usually still possible to add the 10.0.0.0/8 Null route on the edge router, but inside an OSPF totally stubby area, for example, only default routes are injected into the area. Adding the Null route here may result in unreachable subnets.

Personally, I think it’s a good best-practice to black hole some IP ranges instead of letting these packets wander around the network. It keeps things clean. Since it’s also less CPU-intensive on most platforms to perform routing instead of access-lists, it might be used for basic security. Like a black hole to the Facebook IP ranges in your company network if you’re that desperate, for example.

If you know any other interesting uses, please let me know in the comments!

Advertisements