Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

sink-hole router

what is sink-hole router?...what is the concept behind it?....plz tell me in detail

2 REPLIES

Re: sink-hole router

Hi

AFAIK its used to track/examine the usual DOS attacks in large SP networks..

do find the info about both sinkhole router and routing..

Use Sink-Hole Routers to Identify Infected Systems

Sink-hole routers are typically used by a service provider to redirect malicious IP traffic to a single IP address where the traffic can be examined in greater detail. Service providers can use this concept to identify networks and individual hosts where worm traffic is originating. This concept can also be applied within an enterprise architecture environment to identify hosts that are infected by a worm and are actively seeking additional target systems. Setting up a sink-hole router will assist in determining which systems in the environment are infected when NIDS is not available, either due to insufficient resources to deploy NIDS or other architectural constraints. This works by using addresses not yet allocated by the Internet Assigned Numbers Authority (IANA) that some worms will inadvertently attempt to exploit. The sink-hole router advertises these networks locally (only), and any attempts at reaching them will then be routed to the router. Once received, they can be logged and discarded. The logs will provide a list of infected hosts.

Sinkhole Routing

If the ISP is interested instead in examining the flooding attack and stopping it, it can use sink-hole routing. This works by injecting a more specific route from one of the ISP's routers than the subnet route you advertise, which is under attack. For example, if your subnet is 192.0.2.0/24 and IP address 192.0.2.52 is under attack, the ISP can inject a route specifically to the 192.0.2.52/32 address that redirects the attack traffic to a network honeypot of sorts, where the ISP can examine and classify the traffic

regds

New Member

Re: sink-hole router

Try the following pdf, it should give you more than you need to know:

http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf

3246
Views
4
Helpful
2
Replies