Background and Function

Previous page
Table of content
Next page

In this text, the term sinkhole may be defined as a generalized means of redirecting specific IP network traffic for different security-related purposes including analysis and forensics, diversion of attacks, and detection of anomalous activities. Tier-1 ISPs were the first to implement these tactics, usually to protect their downstream customers. Since then, the techniques have been adapted to collect interesting threat- related information for security analysis purposes. To visualize the simplest form of a sinkhole, consider the following:

Malicious, disruptive traffic sourced from various networks is destined for network 192.0.2.13, as shown in Figure 10-1. The organization being targeted by this traffic utilizes 192.0.2.0/24 as its network address block that is routed by its upstream ISP. The attack becomes debilitating, disrupting business operations of the target organization and potentially increasing its costs because of increasing bandwidth utilization, and necessitating action by the ISP because the overwhelming amount of traffic generated by the attack is disrupting adjacent customers as a form of collateral damage.

image from book
Figure 10-1: An attack on IP address 192.0.2.13 (before sinkholing)

The ISP reacts and temporarily initiates a blackhole-type sinkhole by injecting a more specific route for the target (192.0.2.13/32) inside their backbone, whose next hop is the discard interface on their edge router (also known as null0 or the "bit bucket"), as shown in Figure 10-2.

image from book
Figure 10-2: An attack on IP address 192.0.2.13 (while sinkholing)

This tactic redirects the offensive traffic toward the ISP's sinkhole instead of allowing it to flow downstream to the original target. The benefit is that from the time the sinkhole goes into effect, the adjacent ISP customers are likely (as long as the ISP thoughtfully designed their sinkhole defenses) free of collateral damage and the target of the attack has regained use of their Internet connection and local access to the specifically targeted device. Unfortunately, the specific IP address (device) being attacked cannot converse with remote systems across the Internet until the sinkhole is removed (presumbly after the attack has subsided). Obviously, the services originally provided by the target device may be migrated to an alternative device at a different IP address, but many other considerations would have to be made in terms of DNS TTL expiry, and so on.

This example is merely one type of sinkhole, normally referred to as an ISP-induced blackhole route, but this should familiarize you with the concept so that we can explain various other uses of sinkholes.


Previous page
Table of content
Next page
Extreme Exploits. Advanced Defenses Against Hardcore Hacks
Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)
ISBN: 0072259558
EAN: 2147483647
Year: 2005
Pages: 120
Authors: Victor Oppleman, Oliver Friedrichs, Brett Watson
BUY ON AMAZON
Certified Ethical Hacker Exam Prep
High-Speed Signal Propagation[c] Advanced Black Magic
Special Edition Using Crystal Reports 10
InDesign Type: Professional Typography with Adobe InDesign CS2
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy