Infrastructure Layer

Blackhole Attack

The Blackhole Gremlin drops IP packets at the transport layer, targeted by supplied port and host arguments.


The Blackhole Gremlin uses existing traffic policing features in the Linux Kernel to drop targeted IP packets.

This Gremlin does not interact with iptables, and so it does not interfere with any existing iptables rulesets.

This Gremlin requires the NET_ADMIN capability, which is enabled for Gremlin by default at installation time. See capabilities(7)


The Blackhole Gremlin uses the Windows Filtering Platform to drop targeted IP packets.


IP Addresses-i IP addressFalse0.0.1Only impact traffic to these IP addresses. Also accepts CIDR values (i.e.
Device-d interfaceFalseDevice discovery0.0.1Impact traffic over this network interface.
Hostnames-h hostnamesFalse^api.gremlin.com0.0.1Only impact traffic to these hostnames.
Egress Ports-p port numbersFalse^530.0.1Only impact egress traffic to these destination ports. Also accepts port ranges (e.g. 8080-8085).
Ingress Ports-n port numbersFalse0.0.1Only impact ingress traffic to these destination ports. Also accepts port ranges (e.g. 8080-8085).
Protocol-P {TCP, UDP, ICMP}Falseall1.5.3Only impact a specific protocol.
ProvidersWebUI and API OnlyFalse0.0.1External service providers to affect.
TagsWebUI and API OnlyFalse0.0.1Only impact traffic to hosts running Gremlin clients associated with these tags.
Length-l intFalse600.0.1The length of the attack (seconds).