Chapter 10: Sinkholes and Backscatter

Overview

A little-talked-about network security technique has proven one of the most effective means of defense against denial-of-service attacks. It has been deployed by Internet service providers globally as a way to protect their downstream customers. As this chapter will explain, the technique, known as sinkholing, may also be used to provide valuable intelligence regarding the threats your network is facing . With a keen understanding of IP sinkhole theory, you'll be able to implement these techniques on your own to defend your network and to glean valuable information regarding both threats and significant misconfigurations throughout your network.

This chapter will provide information on the following:

• Sinkhole Background and Function A brief explanation of IP sinkholes and how a number of organizations have successfully implemented them.

• Decoy Network Deployments How sinkhole techniques applied using darknets and honeynets may be used to trap and analyze malicious scanning, infiltration attempts, and other events in conjunction with your network monitoring elements such as intrusion detection.

• Denial-of-Service Protection How organizations and their upstream Internet service providers have developed a means of protection against denial-of-service through extensive , event-driven sinkhole deployments.

• Backscatter and Tracebacks A brief explanation of backscatter and how tracebacks can be used to identify the ingress point of a denial-of-service attack in a large network.