How To Add a nullroute (blackhole filtering)
In computer networking, a null route or blackhole route is a network route that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.
Null routing has an advantage over classical firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone.
Nullrouting on BSD (FreeBSD, NetBSD, OpenBSD)
To null route a single IP address (192.168.0.200), use:
route add -host 192.168.0.200 127.0.0.1 -blackhole
To null route a network (192.168.0.0/24), use:
route add -net 192.168.0.0/24 127.0.0.1 -blackhole
If you would rather generate a "Destination Host Unreachable" ICMP response instead of blackholing the traffic, replace -blackhole with -reject:
route add -host 192.168.0.200 127.0.0.1 -reject route add -net 192.168.0.0/24 127.0.0.1 -reject
To enable the nullroutes on boot, add them to /etc/rc.conf:
static_routes="null1 null2"
route_null1="-host 192.168.0.1 127.0.0.1 -blackhole"
route_null2="-net 192.168.0.0/24 127.0.0.1 -blackhole"
Nullrouting on Cisco IOS
ip route 192.168.0.0 255.255.0.0 Null0
Nullrouting on Junipper Networks' JunOS
set routing-options static route 192.168.0.0/24 discard
Nullrouting on Linux (iproute2)
ip route add blackhole 192.168.0.200/32
Nullrouting on Solaris
route add -host 192.168.0.200 127.0.0.1 -blackhole route add -net 192.168.0.0/24 127.0.0.1 -blackhole
Nullrouting on Windows
Windows XP/Vista/7 does not support reject or blackhole arguments via route, thus an unused IP address (e.g. 192.168.0.205) must be used as the target gateway:
route -p add 192.168.0.200 MASK 255.255.255.255 192.168.0.205Print This Post