How do I Drop or block attackers IP with null routes?

by on May 25, 2006 · 30 comments· LAST UPDATED February 23, 2008

in , ,

Someone might attack on your system. You can drop attacker IP using IPtables. However, you can use route command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):

Nullroute IP using route command

Suppose that bad IP is 65.21.34.4, type following command at shell:

# route add 65.21.34.4 gw 127.0.0.1 lo

You can verify it with following command:
# netstat -nr
OR
# route -n
You can also use reject target (thanks to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject

To confirm the null routing status, use ip command as follows:
# ip route get 64.1.2.3
Output:

RTNETLINK answers: Network is unreachable

Drop entire subnet 192.67.16.0/24:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo
You can also use ip command to null route network or ip, enter:
# ip route add blackhole 202.54.5.2/29
# route -n

How do I remove null routing? How do I remove blocked IP address?

Simple use router delete command,
# route delete 65.21.34.4
This is cool, as you do not have to play with iptables rules.

See also:

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 30 comments… read them below or add one }

1 timmy May 27, 2006 at 1:57 pm

Heh, it’s kinda nice feature, since it works, and isn’t something you just think of… I guess most people would block it in a FW…

Thnaks…

Reply

2 Rohit Basu February 22, 2008 at 7:06 am

Its a temporary solution…

the parmanent one is th find all the ips which acts as an attacker and to use the rule for all.

make a shell script for this.

use netstat to find out max no. of connection by each ip short them out and apply the above rule for all of them.

Reply

3 Gabriele Callari February 23, 2008 at 3:17 pm

Nice idea, perhaps something like

route add 65.21.34.4 reject

will do the same more elegantly?

Reply

4 Ian May 3, 2010 at 10:32 pm

the reject is not more elegant, it’s better to black hole them certainly for discouraging attackers as they have to wait for a timeout for a response

Reply

5 nixCraft February 23, 2008 at 3:55 pm

Gabriele,

The post has been updated. Thanks for pointing out reject option.

Reply

6 Gabriele Callari February 27, 2008 at 1:14 pm

Thanks to you for the great site, and please note that, as the man page for route says, “This is NOT for firewalling”.

Reply

7 James March 30, 2008 at 1:27 am

i tried this
route add 65.21.34.4 gw 127.0.0.1 lo

and it fails on XP with the message
route: bad gateway address gw

same error with this
route add 65.21.34.4 reject

route: bad gateway address gw

copied exactly as you have posted
any ideas ?

Reply

8 nixCraft March 30, 2008 at 4:59 am

James,

These instructions only tested on Linux.

Reply

9 carlos June 5, 2008 at 9:47 pm

please note that syntaxis is different for the route command from linux to windows, but using the right syntaxis surely it must work.

I think that all we know that this kind of measures are when we are in a hurry, not a definitive solution.

Even though they can be a lifesaver on occasions.

thanks for your work.

Reply

10 carlos June 5, 2008 at 9:50 pm

by the way …

Does somebody know what is the difference between the use of reject and the use of …. 127.0.0.1 blackhole?

thanks.

Reply

11 nixCraft June 5, 2008 at 10:36 pm

reject – send “Network is unreachable” message back to client.

blackhole – No message sent back to client

Reply

12 carlos June 5, 2008 at 11:37 pm

thanks.. Vivek.
this is important to me, because I have to decide between this two commands.

..say… What would be more adecuate to a hacker?

receive a message saying “network is unreachable” or no message at all?

maybe “network is unreachable”?

or… no message…

I am thinking. Any suggestion?

Reply

13 Kirrus September 13, 2008 at 7:47 pm

Carlos: Blackhole is better.

Reply

14 SeBas January 23, 2009 at 5:17 pm

I could not delete the rejected ip with the command given in the tutorial. I’m running Debian.
# route delete 10.0.0.19
SIOCDELRT: No such process

But I was able to delete the rejected ip route with this command:
# route del -host 10.0.0.19 reject

Cheers,

Reply

15 Adam March 26, 2009 at 6:11 pm

I liked the command used by SeBas to remove the block….

It worked for me:
route del -host 10.0.0.19 reject

got something to learn

Reply

16 zsentient April 1, 2009 at 6:01 pm

So to make this persistent across reboots, what is the syntax for the /etc/sysconfig/network/routes file?

Reply

17 nixCraft April 1, 2009 at 6:20 pm

Add commands to /etc/rc.local file.

Reply

18 zsentient April 1, 2009 at 6:51 pm

Thanks Vivek, not the answer I was looking for, but I am sure that would work:)

Reply

19 chika May 20, 2009 at 9:42 pm

drop entire subnet
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

how to enable again?

Reply

20 Damien Jorgensen August 1, 2009 at 8:08 pm

Its sad how easy it is to forget simple commands like this when you dont use them everyday

Thanks for the blog, saved me a lot of hassle and now null routing works a treat

Damien

Reply

21 Haji August 28, 2009 at 5:49 pm

Hi,
I want to Block inetnum range IP like 58.208.0.0 – 58.223.255.255 via route add -net command. which command must we use?

Reply

22 nixCraft August 29, 2009 at 6:07 am

Use iptables.

Reply

23 Haji August 29, 2009 at 10:35 am

Please give me the iptables usage for that.

Reply

24 Jackie October 22, 2010 at 9:23 am

Awesome tutorial! But when you reboot routes are erased.

Reply

25 Benny February 10, 2011 at 4:42 pm

Take a look at ifroute.

Reply

26 Mr.Hien April 2, 2011 at 2:58 pm

Using routing policy database (RPDB) maybe work same!
Try it:

ip rule add blackhole to 65.21.34.4

Reply

27 Piet April 10, 2011 at 7:30 am

I use this entry in a script.
route add -net 85.90.162.0 netmask 255.255.255.0 reject

But how can I drop this entry without booting my machine?

Reply

28 R. Novakov March 26, 2012 at 7:29 am

You can use this to prevent network.

route add -net 10.0.0.0 netmask 255.0.0.0 reject

Reply

29 Brad September 17, 2013 at 11:35 pm

fail2ban is a solution worth looking into. If on a fedora based distro you will need epel repositories. Install with apt-get on debian or yum on fedora/CenOS etc.
Works fine, lasts a long time.

Reply

30 Web Hosting in Pakistan September 21, 2013 at 5:28 pm

i getting this error after deleting null rout IP: already routed

[root@vpanel ~]# route delete xxx.xx.xx.xx
SIOCDELRT: No such process
[root@vpanel ~]#

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: