How do I Drop or block attackers IP with null routes?
Someone might attack on your system. You can drop attacker IP using IPtables. However, you can use route command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.
You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system.) stopping various attacks coming from a single IP (read as spammers or hackers):
Nullroute IP using route command
Suppose that bad IP is 65.21.34.4, type following command at shell:
# route add 65.21.34.4 gw 127.0.0.1 lo
You can verify it with following command:
# netstat -nr
OR
# route -n
You can also use reject target (thanks to Gabriele):
# route add -host IP-ADDRESS reject
# route add -host 64.1.2.3 reject
To confirm the null routing status, use ip command as follows:
# ip route get 64.1.2.3
Output:
RTNETLINK answers: Network is unreachable
Drop entire subnet 192.67.16.0/24:
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo
You can also use ip command to null route network or ip, enter:
# ip route add blackhole 202.54.5.2/29
# route -n
How do I remove null routing? How do I remove blocked IP address?
Simple use router delete command,
# route delete 65.21.34.4
This is cool, as you do not have to play with iptables rules.
See also:
- man pages route, ip and netstat command
- Blocking incoming access to selected/specific ip address
- How do I block outgoing access to selected/specific ip address?
Updated for accuracy.
Want to stay up to date with the latest Linux tips, news and announcements? Subscribe to our free e-mail newsletter or RSS feed to get all updates.
You can Email this page to a friend.
You may also be interested in other helpful articles:
- Protect Your Network from spamming, scanning, harvesting and dDoS attacks with DROP List
- Linux Iptables block outgoing access to selected or specific ip address
- Linux Iptables block all network traffic
- Linux Iptables block incoming access to selected or specific ip address
- How to: Linux Iptables block common attacks
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: attacker, blackhole filtering, blackhole route, block_ip, hackers, ip command, ip default gateway, ip gateway, Iptables, isp, linux commands, linux firewall, linux null route ip, netstat command, null route command, null set, null_route_ip, route command, route default gateway, route_command, shell route, spammers, sys_admin, tcp ip



Heh, it’s kinda nice feature, since it works, and isn’t something you just think of… I guess most people would block it in a FW…
Thnaks…
Its a temporary solution…
the parmanent one is th find all the ips which acts as an attacker and to use the rule for all.
make a shell script for this.
use netstat to find out max no. of connection by each ip short them out and apply the above rule for all of them.
Nice idea, perhaps something like
route add 65.21.34.4 rejectwill do the same more elegantly?
Gabriele,
The post has been updated. Thanks for pointing out reject option.
Thanks to you for the great site, and please note that, as the man page for route says, “This is NOT for firewalling”.
i tried this
route add 65.21.34.4 gw 127.0.0.1 lo
and it fails on XP with the message
route: bad gateway address gw
same error with this
route add 65.21.34.4 reject
route: bad gateway address gw
copied exactly as you have posted
any ideas ?
James,
These instructions only tested on Linux.
please note that syntaxis is different for the route command from linux to windows, but using the right syntaxis surely it must work.
I think that all we know that this kind of measures are when we are in a hurry, not a definitive solution.
Even though they can be a lifesaver on occasions.
thanks for your work.
by the way …
Does somebody know what is the difference between the use of reject and the use of …. 127.0.0.1 blackhole?
thanks.
reject - send “Network is unreachable” message back to client.
blackhole - No message sent back to client
thanks.. Vivek.
this is important to me, because I have to decide between this two commands.
..say… What would be more adecuate to a hacker?
receive a message saying “network is unreachable” or no message at all?
maybe “network is unreachable”?
or… no message…
I am thinking. Any suggestion?