GIT  – In computer networking, a  route (blackhole route) is a network route (routing table entry) that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall.

The act of using null routes is often called blackhole filtering. The rest of this article deals with null routing in the Internet Protocol (IP).

Null routes are typically configured with a special route flag, but can also be implemented by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.

Null routing has an advantage over classical firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone. Blackhole filtering can also be abused by malicious attackers on compromised routers to filter out traffic destined to a certain address.

Routing typically only works on the Internet Protocol layer and is very limited in packet classification. It is bound to be stateless due to the nature of IP routers. Typically, classification is limited to the destination IP address prefix, source IP address and incoming network interface.

Specific examples

Nullrouting with iproute2 on Linux:

$ ip route add blackhole 192.168.32.128/32

Nullrouting with ‘route‘ on Solaris and BSD:

$ route add -host 10.10.0.1 127.0.0.1 -blackhole 
$ route add -net 10.10.64.0/18 127.0.0.1 -blackhole

Creating a discard route on Juniper Networks’ Junos:

set routing-options static route 192.168.0.0/16 discard

Routing to the Null0 interface on Cisco IOS:

ip route 192.168.0.0 255.255.0.0 Null0

Windows XP/Vista does not support reject or blackhole arguments via route, thus an unused IP address (e.g. 192.168.32.254) must be used as the target gateway:

route -p ADD 192.168.32.128 MASK 255.255.255.255 192.168.32.254

How do I Drop or block attackers IP with null routes?

Someone might attack on your system. You can drop attacker IP usingIPtables. However, you can use route to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Nullroute IP using route command

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 65.21.34.4 gw 127.0.0.1 lo

You can verify it with following command:

# netstat -nr
OR
# route -n

You can also use reject target :

# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject

To confirm the null routing status, use ip command as follows:

# ip route get 64.1.2.3
Output:

RTNETLINK answers: Network is unreachable

Drop entire subnet 192.67.16.0/24:

# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

You can also use ip command to null route network or ip, enter:

# ip route add blackhole 202.54.5.2/29
# route -n

How do I remove null routing? How do I remove blocked IP address?

Simple use router delete command

# route delete 65.21.34.4

This is cool, as you do not have to play with rules.

Print Friendly

Comments

comments

Bài viết liên quan