The Null Route Problem
When a DDoS attack targets one of your customer's IPs, the standard response at most hosting providers is to null route the IP. All traffic to that IP is dropped at your edge router. The attack traffic stops reaching your network. The collateral damage: your customer's legitimate traffic is also dropped. Their site, server, or application is completely offline.
From the customer's perspective, null routing is the same as a successful DDoS attack. Their service is down either way. The only difference is who did it: the attacker or their hosting provider.
Null routing made sense when there were no alternatives. When the only choice was "one customer goes down" or "the whole rack goes down," sacrificing one IP was the lesser evil. But that trade-off is no longer necessary.
Why Null Routing Costs You Customers
- The customer loses money during the null route. An ecommerce site offline for 2 hours during a null route loses orders. A game server offline loses players to competitors.
- Null routes last too long. Most providers apply null routes for 2-24 hours. The attack might stop in 10 minutes, but the customer stays offline for hours.
- Repeat attacks trigger repeat null routes. If the attacker comes back, the customer gets null routed again. After the third time, they switch to a provider that handles it better.
- The customer blames you, not the attacker. "My hosting provider took my site down" is how the customer describes it. They do not say "a DDoS attack happened and my hosting provider responded."
The Better Approach
Instead of null routing the entire IP, use a layered mitigation approach:
Level 1: On-server firewall rules
ftagent detects the attack in under 1 second and deploys iptables rules that drop attack traffic while allowing legitimate traffic through. For a UDP amplification attack, the rule drops UDP packets matching the amplification pattern (source port 53, large packet size) without affecting the customer's TCP web traffic.
Level 2: BGP FlowSpec
If the attack volume exceeds what on-server rules can handle, Flowtriq auto-pushes a FlowSpec rule to your upstream. The upstream drops traffic matching specific criteria (protocol, source port, packet size) for just that destination IP. Legitimate traffic for other protocols passes through.
Level 3: Cloud scrubbing
For severe volumetric attacks, divert the customer's traffic to a scrubbing center. The scrubbing center filters attack traffic and returns clean traffic to your network. The customer's service stays online throughout.
Level 4: Selective RTBH (only as last resort)
If the attack exceeds all other mitigation capacity, RTBH is still available. But with the previous three levels, you rarely need it. And when you do, it is a conscious decision with full data about why the other levels were insufficient.
The Escalation Flow
Attack detected (0.8 seconds)
|
v
On-server iptables rules deployed (2 seconds)
|
Is on-server mitigation sufficient?
|
Yes --> Monitor, auto-remove rules when attack ends
|
No --> Push BGP FlowSpec to upstream (15 seconds)
|
Is FlowSpec sufficient?
|
Yes --> Monitor, auto-withdraw when attack ends
|
No --> Divert to cloud scrubbing (60 seconds)
|
Clean traffic returns to your network
Customer stays online throughout
At each level, the system checks whether mitigation is working before escalating. Most attacks are handled at Level 1. The small percentage that need FlowSpec are handled at Level 2. Cloud scrubbing is rarely needed but available when it is.
The Business Impact
Hosting providers who move from null routing to surgical mitigation see measurable results:
- Lower churn: Customers who stay online during attacks do not leave
- Higher margins: DDoS protection as a paid addon generates revenue that null routing never did
- Better reputation: "They kept my server online during an attack" is a referral-worthy experience
- Fewer tickets: Automated detection and notification means fewer "is my server down?" tickets
Replace null routing with surgical mitigation. Per-node detection at $9.99/server/month with automated escalation from firewall rules to FlowSpec to cloud scrubbing. Start your free 14-day trial.