How do I Drop or block attackers IP with null routes?

Someone might attack on your system. You can drop attacker IP using IPtables. However, you can use route command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Nullroute IP using route command

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 65.21.34.4 gw 127.0.0.1 lo

You can verify it with following command:
# netstat -nr
OR
# route -n
You can also use reject target (thanks to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject

To confirm the null routing status, use ip command as follows:
# ip route get 64.1.2.3
Output:

RTNETLINK answers: Network is unreachable

Drop entire subnet 192.67.16.0/24:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo
You can also use ip command to null route network or ip, enter:
# ip route add blackhole 202.54.5.2/29
# route -n

How do I remove null routing? How do I remove blocked IP address?

Simple use router delete command,
# route delete 65.21.34.4
This is cool, as you do not have to play with iptables rules.

See also:

Updated for accuracy.

Want to read Linux tips and tricks, but don't have time to check our blog everyday? Subscribe to our daily email newsletter to make sure you don't miss a single tip/tricks. Subscribe to our weekly newsletter here!

{ 18 comments… read them below or add one }

1 timmy 05.27.06 at 1:57 pm

Heh, it’s kinda nice feature, since it works, and isn’t something you just think of… I guess most people would block it in a FW…

Thnaks…

2 Rohit Basu 02.22.08 at 7:06 am

Its a temporary solution…

the parmanent one is th find all the ips which acts as an attacker and to use the rule for all.

make a shell script for this.

use netstat to find out max no. of connection by each ip short them out and apply the above rule for all of them.

3 Gabriele Callari 02.23.08 at 3:17 pm

Nice idea, perhaps something like

route add 65.21.34.4 reject

will do the same more elegantly?

4 vivek 02.23.08 at 3:55 pm

Gabriele,

The post has been updated. Thanks for pointing out reject option.

5 Gabriele Callari 02.27.08 at 1:14 pm

Thanks to you for the great site, and please note that, as the man page for route says, “This is NOT for firewalling”.

6 James 03.30.08 at 1:27 am

i tried this
route add 65.21.34.4 gw 127.0.0.1 lo

and it fails on XP with the message
route: bad gateway address gw

same error with this
route add 65.21.34.4 reject

route: bad gateway address gw

copied exactly as you have posted
any ideas ?

7 vivek 03.30.08 at 4:59 am

James,

These instructions only tested on Linux.

8 carlos 06.05.08 at 9:47 pm

please note that syntaxis is different for the route command from linux to windows, but using the right syntaxis surely it must work.

I think that all we know that this kind of measures are when we are in a hurry, not a definitive solution.

Even though they can be a lifesaver on occasions.

thanks for your work.

9 carlos 06.05.08 at 9:50 pm

by the way …

Does somebody know what is the difference between the use of reject and the use of …. 127.0.0.1 blackhole?

thanks.

10 vivek 06.05.08 at 10:36 pm

reject – send “Network is unreachable” message back to client.

blackhole – No message sent back to client

11 carlos 06.05.08 at 11:37 pm

thanks.. Vivek.
this is important to me, because I have to decide between this two commands.

..say… What would be more adecuate to a hacker?

receive a message saying “network is unreachable” or no message at all?

maybe “network is unreachable”?

or… no message…

I am thinking. Any suggestion?

12 Kirrus 09.13.08 at 7:47 pm

Carlos: Blackhole is better.

13 SeBas 01.23.09 at 5:17 pm

I could not delete the rejected ip with the command given in the tutorial. I’m running Debian.
# route delete 10.0.0.19
SIOCDELRT: No such process

But I was able to delete the rejected ip route with this command:
# route del -host 10.0.0.19 reject

Cheers,

14 Adam 03.26.09 at 6:11 pm

I liked the command used by SeBas to remove the block….

It worked for me:
route del -host 10.0.0.19 reject

got something to learn

15 zsentient 04.01.09 at 6:01 pm

So to make this persistent across reboots, what is the syntax for the /etc/sysconfig/network/routes file?

16 Vivek Gite 04.01.09 at 6:20 pm

Add commands to /etc/rc.local file.

17 zsentient 04.01.09 at 6:51 pm

Thanks Vivek, not the answer I was looking for, but I am sure that would work:)

18 chika 05.20.09 at 9:42 pm

drop entire subnet
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

how to enable again?

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Tagged as: , , , , , , , , , , , , , , , , , , , , , ,

Previous post: Gnome or KDE Keyboard Shortcuts you must know

Next post: How do I secure and audit shell access with Enterprise Audit Shell?