How Do I Drop or Block Attackers IP Address With Null Routes On a Linux?

by on May 25, 2006 · 34 comments· LAST UPDATED December 21, 2014

in , ,

Someone might attack on your Linux based system. You can drop attacker IP using IPtables. However, you can use route or ip command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system) stopping various attacks coming from a single IP (read as spammers or hackers) using the following syntax on a Linux based system.

Nullroute IP using route command

Suppose that bad IP is, type the following command at shell:
# route add gw lo
You can verify it with the following command:
# netstat -nr
# route -n
You can also use reject target (a hat tip to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host reject

To confirm the null routing status, use the ip command as follows:
# ip route get

RTNETLINK answers: Network is unreachable

To drop entire subnet, type:
# route add -net gw lo

Null routing using ip command

While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:
# ip route add blackhole
# ip route add blackhole from
# ip rule add blackhole to
# ip route

How do I remove null routing? How do I remove blocked IP address?

Simple use the route delete command as follows:
# route delete
# route del -host reject
Or use NA command to delete route:
# ip route delete dev eth0

This is cool, as you do not have to play with iptables rules as described here.

See also:
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 34 comments… read them below or add one }

1 timmy May 27, 2006 at 1:57 pm

Heh, it’s kinda nice feature, since it works, and isn’t something you just think of… I guess most people would block it in a FW…



2 Rohit Basu February 22, 2008 at 7:06 am

Its a temporary solution…

the parmanent one is th find all the ips which acts as an attacker and to use the rule for all.

make a shell script for this.

use netstat to find out max no. of connection by each ip short them out and apply the above rule for all of them.


3 Gabriele Callari February 23, 2008 at 3:17 pm

Nice idea, perhaps something like

route add reject

will do the same more elegantly?


4 Ian May 3, 2010 at 10:32 pm

the reject is not more elegant, it’s better to black hole them certainly for discouraging attackers as they have to wait for a timeout for a response


5 nixCraft February 23, 2008 at 3:55 pm


The post has been updated. Thanks for pointing out reject option.


6 Gabriele Callari February 27, 2008 at 1:14 pm

Thanks to you for the great site, and please note that, as the man page for route says, “This is NOT for firewalling”.


7 James March 30, 2008 at 1:27 am

i tried this
route add gw lo

and it fails on XP with the message
route: bad gateway address gw

same error with this
route add reject

route: bad gateway address gw

copied exactly as you have posted
any ideas ?


8 nixCraft March 30, 2008 at 4:59 am


These instructions only tested on Linux.


9 carlos June 5, 2008 at 9:47 pm

please note that syntaxis is different for the route command from linux to windows, but using the right syntaxis surely it must work.

I think that all we know that this kind of measures are when we are in a hurry, not a definitive solution.

Even though they can be a lifesaver on occasions.

thanks for your work.


10 carlos June 5, 2008 at 9:50 pm

by the way …

Does somebody know what is the difference between the use of reject and the use of …. blackhole?



11 nixCraft June 5, 2008 at 10:36 pm

reject – send “Network is unreachable” message back to client.

blackhole – No message sent back to client


12 carlos June 5, 2008 at 11:37 pm

thanks.. Vivek.
this is important to me, because I have to decide between this two commands.

..say… What would be more adecuate to a hacker?

receive a message saying “network is unreachable” or no message at all?

maybe “network is unreachable”?

or… no message…

I am thinking. Any suggestion?


13 Kirrus September 13, 2008 at 7:47 pm

Carlos: Blackhole is better.


14 SeBas January 23, 2009 at 5:17 pm

I could not delete the rejected ip with the command given in the tutorial. I’m running Debian.
# route delete
SIOCDELRT: No such process

But I was able to delete the rejected ip route with this command:
# route del -host reject



15 Adam March 26, 2009 at 6:11 pm

I liked the command used by SeBas to remove the block….

It worked for me:
route del -host reject

got something to learn


16 zsentient April 1, 2009 at 6:01 pm

So to make this persistent across reboots, what is the syntax for the /etc/sysconfig/network/routes file?


17 nixCraft April 1, 2009 at 6:20 pm

Add commands to /etc/rc.local file.


18 zsentient April 1, 2009 at 6:51 pm

Thanks Vivek, not the answer I was looking for, but I am sure that would work:)


19 chika May 20, 2009 at 9:42 pm

drop entire subnet
# route add -net gw lo

how to enable again?


20 Damien Jorgensen August 1, 2009 at 8:08 pm

Its sad how easy it is to forget simple commands like this when you dont use them everyday

Thanks for the blog, saved me a lot of hassle and now null routing works a treat



21 Haji August 28, 2009 at 5:49 pm

I want to Block inetnum range IP like – via route add -net command. which command must we use?


22 nixCraft August 29, 2009 at 6:07 am

Use iptables.


23 Haji August 29, 2009 at 10:35 am

Please give me the iptables usage for that.


24 Jackie October 22, 2010 at 9:23 am

Awesome tutorial! But when you reboot routes are erased.


25 Benny February 10, 2011 at 4:42 pm

Take a look at ifroute.


26 Mr.Hien April 2, 2011 at 2:58 pm

Using routing policy database (RPDB) maybe work same!
Try it:

ip rule add blackhole to


27 Piet April 10, 2011 at 7:30 am

I use this entry in a script.
route add -net netmask reject

But how can I drop this entry without booting my machine?


28 J. Dorn August 31, 2014 at 10:34 pm

to remove this nullroute without a reboot use

route del -net netmask


29 R. Novakov March 26, 2012 at 7:29 am

You can use this to prevent network.

route add -net netmask reject


30 Brad September 17, 2013 at 11:35 pm

fail2ban is a solution worth looking into. If on a fedora based distro you will need epel repositories. Install with apt-get on debian or yum on fedora/CenOS etc.
Works fine, lasts a long time.


31 Web Hosting in Pakistan September 21, 2013 at 5:28 pm

i getting this error after deleting null rout IP: already routed

[root@vpanel ~]# route delete xxx.xx.xx.xx
SIOCDELRT: No such process
[root@vpanel ~]#


32 Pushkar July 9, 2014 at 11:01 am

Please try below command.

# route del xxx.xx.xx.xx reject


33 Dave Lamb December 22, 2014 at 5:43 pm

Using a null route is all good if you know the source IP range, but it quickly becomes unmanageable for an internet facing server. A better and more automated solution is fail2ban. Then configure the /etc/jail.conf file for the service you are protecting. In my case I have it protecting an SSH server. After 3 failed login attempts it automatically configures iptables to deny any new connections from the source IP.

It has lots of options like permanently banning a source address or just blocking it for a short time frame. Exceptions and logging can be configured as well. Blocking after 3 failed attempts is enough to thwart most attacks.


34 Kristian Kirilov December 23, 2014 at 7:26 am

Do you understand what the line actually do?
route add gw lo

When packet is received from it always get connected to the host (if you not doped the package with iptables) it is processed and when it have to send the answer to with the needed data the static route tell to forward this package to the loopback interface, so the package never come back to the (bad attacker host)

Please correct me if i’m wrong.
Thanks ;-)


Leave a Comment

Tagged as: , , , , , ,

Previous post:

Next post: