How To Add a nullroute (blackhole filtering)

In computer networking, a null route or blackhole route is a network route that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

Null routing has an advantage over classical firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone.

Nullrouting on BSD (FreeBSD, NetBSD, OpenBSD)

To null route a single IP address (, use:

route add -host -blackhole

To null route a network (, use:

route add -net -blackhole

If you would rather generate a "Destination Host Unreachable" ICMP response instead of blackholing the traffic, replace -blackhole with -reject:

route add -host -reject
route add -net -reject

To enable the nullroutes on boot, add them to /etc/rc.conf:

static_routes="null1 null2"
route_null1="-host -blackhole"
route_null2="-net -blackhole"

Nullrouting on Cisco IOS

ip route Null0

Nullrouting on Junipper Networks' JunOS

set routing-options static route discard

Nullrouting on Linux (iproute2)

ip route add blackhole

Nullrouting on Solaris

route add -host -blackhole
route add -net -blackhole

Nullrouting on Windows

Windows XP/Vista/7 does not support reject or blackhole arguments via route, thus an unused IP address (e.g. must be used as the target gateway:

route -p add MASK
Print This Post Print This Post
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment


No trackbacks yet.