blog.up-link.ro
28Jul/110

How To Add a nullroute (blackhole filtering)

In computer networking, a null route or blackhole route is a network route that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

Null routing has an advantage over classical firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone.

Nullrouting on BSD (FreeBSD, NetBSD, OpenBSD)

To null route a single IP address (192.168.0.200), use:

route add -host 192.168.0.200 127.0.0.1 -blackhole

To null route a network (192.168.0.0/24), use:

route add -net 192.168.0.0/24 127.0.0.1 -blackhole

If you would rather generate a "Destination Host Unreachable" ICMP response instead of blackholing the traffic, replace -blackhole with -reject:

route add -host 192.168.0.200 127.0.0.1 -reject
route add -net 192.168.0.0/24 127.0.0.1 -reject

To enable the nullroutes on boot, add them to /etc/rc.conf:

static_routes="null1 null2"
route_null1="-host 192.168.0.1 127.0.0.1 -blackhole"
route_null2="-net 192.168.0.0/24 127.0.0.1 -blackhole"

Nullrouting on Cisco IOS

ip route 192.168.0.0 255.255.0.0 Null0

Nullrouting on Junipper Networks' JunOS

set routing-options static route 192.168.0.0/24 discard

Nullrouting on Linux (iproute2)

ip route add blackhole 192.168.0.200/32

Nullrouting on Solaris

route add -host 192.168.0.200 127.0.0.1 -blackhole
route add -net 192.168.0.0/24 127.0.0.1 -blackhole

Nullrouting on Windows

Windows XP/Vista/7 does not support reject or blackhole arguments via route, thus an unused IP address (e.g. 192.168.0.205) must be used as the target gateway:

route -p add 192.168.0.200 MASK 255.255.255.255 192.168.0.205
Print This Post Print This Post
Comments (0) Trackbacks (0)

No comments yet.


Leave a comment


*

No trackbacks yet.