According to RFC rules, the IP packet header should contain information on its transport level protocol. Packets contain IPv4 headers that carry this information. When the value of this field is set to zero, the packets can evade security measures that scan TCP, IP, and ICMP, hence the name: IP Null Attack. Edge routers and firewalls can let such a packet in as an unclassified one. Mostly, the null value in the Protocol field is reserved for IPv6 Hop-by-Hop Option, but not all servers can receive and properly process this kind of packet.
If these kinds of packets are sent en mass, the target server attempts to process the tampered-with packets, and will run down its resources and eventually crash, causing a server failure.
A common mitigation technique for DDoS attacks employs null routing, particularly for attacks which involve collateral damage or second-hand DDoS. Often, users that share the same infrastructure as the target also undergo the effects of the attack and have their service degraded or are taken offline completely as their infrastructure, servers, and applications are negatively impacted by the mass of junk traffic. These second-hand DDoS victims often don’t have DDoS defences in place, so they contact their ISP and ask for help with blocking the attack upstream. The ISP then injects a null route with the IP address of the original victim into their routing infrastructure and starts to block all DDoS traffic to the target, hoping thereby to reduce the impact against the other customers who are experiencing collateral damage as a result of the attack.
Null routing is used to make the internet think that an IP address doesn’t have a destination so any data which is sent to that IP will be blocked. When data moves between any two devices on the net, every router needs to know in which direction to send each packet as it receives it. Large network operators broadcast the IP addresses they are responsible for to their neighbour networks and direct where packets for their IP addresses should go. When an IP is null routed, it is broadcast as having no destination at the original network, so any data that is sent there, will not make it. This mitigates against the Internet infrastructure having to route huge amounts of junk traffic, and the network being taken offline as a result of the DDoS attack. The IP is typically left null routed for a minimum of 24 hours.
However, null routing (also known as black hole routing) is not without controversy. Null routing blocks all traffic, good as well as bad, so it could be said to help the cybercriminal conducting the DDoS attack as it blocks all traffic getting through. For any business that requires a constant online presence, null routing is not a viable mitigation technique.