Comments on: How do I Drop or block attackers IP with null routes?

By: Piet

Piet — Sun, 10 Apr 2011 07:30:56 +0000

I use this entry in a script.
route add -net 85.90.162.0 netmask 255.255.255.0 reject

But how can I drop this entry without booting my machine?

By: Mr.Hien

Mr.Hien — Sat, 02 Apr 2011 14:58:00 +0000

Using routing policy database (RPDB) maybe work same!
Try it:

ip rule add blackhole to 65.21.34.4

By: Benny

Benny — Thu, 10 Feb 2011 16:42:03 +0000

Take a look at ifroute.

By: Jackie

Jackie — Fri, 22 Oct 2010 09:23:06 +0000

Awesome tutorial! But when you reboot routes are erased.

By: Ian

Ian — Mon, 03 May 2010 22:32:48 +0000

the reject is not more elegant, it’s better to black hole them certainly for discouraging attackers as they have to wait for a timeout for a response

By: Haji

Haji — Sat, 29 Aug 2009 10:35:19 +0000

Please give me the iptables usage for that.

By: Vivek Gite

Vivek Gite — Sat, 29 Aug 2009 06:07:47 +0000

Use iptables.

By: Haji

Haji — Fri, 28 Aug 2009 17:49:06 +0000

Hi,
I want to Block inetnum range IP like 58.208.0.0 – 58.223.255.255 via route add -net command. which command must we use?

By: Damien Jorgensen

Damien Jorgensen — Sat, 01 Aug 2009 20:08:43 +0000

Its sad how easy it is to forget simple commands like this when you dont use them everyday

Thanks for the blog, saved me a lot of hassle and now null routing works a treat

Damien

By: chika

chika — Wed, 20 May 2009 21:42:34 +0000

drop entire subnet
# route add -net 192.67.16.0/24 gw 127.0.0.1 lo

how to enable again?

By: zsentient

zsentient — Wed, 01 Apr 2009 18:51:54 +0000

Thanks Vivek, not the answer I was looking for, but I am sure that would work:)

By: Vivek Gite

Vivek Gite — Wed, 01 Apr 2009 18:20:06 +0000

Add commands to /etc/rc.local file.

By: zsentient

zsentient — Wed, 01 Apr 2009 18:01:56 +0000

So to make this persistent across reboots, what is the syntax for the /etc/sysconfig/network/routes file?

By: Adam

Adam — Thu, 26 Mar 2009 18:11:04 +0000

I liked the command used by SeBas to remove the block….

It worked for me:
route del -host 10.0.0.19 reject

got something to learn

By: SeBas

SeBas — Fri, 23 Jan 2009 17:17:23 +0000

I could not delete the rejected ip with the command given in the tutorial. I’m running Debian.
# route delete 10.0.0.19
SIOCDELRT: No such process

But I was able to delete the rejected ip route with this command:
# route del -host 10.0.0.19 reject

Cheers,

By: Kirrus

Kirrus — Sat, 13 Sep 2008 19:47:32 +0000

Carlos: Blackhole is better.

By: carlos

carlos — Thu, 05 Jun 2008 23:37:01 +0000

thanks.. Vivek.
this is important to me, because I have to decide between this two commands.

..say… What would be more adecuate to a hacker?

receive a message saying “network is unreachable” or no message at all?

maybe “network is unreachable”?

or… no message…

I am thinking. Any suggestion?

By: vivek

vivek — Thu, 05 Jun 2008 22:36:43 +0000

reject – send “Network is unreachable” message back to client.

blackhole – No message sent back to client

By: carlos

carlos — Thu, 05 Jun 2008 21:50:43 +0000

by the way …

Does somebody know what is the difference between the use of reject and the use of …. 127.0.0.1 blackhole?

thanks.

By: carlos

carlos — Thu, 05 Jun 2008 21:47:41 +0000

please note that syntaxis is different for the route command from linux to windows, but using the right syntaxis surely it must work.

I think that all we know that this kind of measures are when we are in a hurry, not a definitive solution.

Even though they can be a lifesaver on occasions.

thanks for your work.