Wednesday, February 4, 2015

HOWTO drop or block Attackers IP Addresses with null routes on Linux

If someone is trying to attack your Linux System, you can drop the attacker IP using IPtables or you can use the route or ip command to null route unwanted traffic.
A "null route" (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called "Blackhole Filtering".

You can "nullroute": stop various attacks coming from a single IP (spammers or hackers) using the following methods on a Linux based system:

Nullroute IP using route command

Let's suppose that the following IP is a bad one: Then you can type the following command:
root@xdev:~# route add gw lo

You can verify it with the following commands:
root@xdev:~# netstat -nr
root@xdev:~# route -n

You can also reject a target:
root@xdev:~# route add -host reject

To confirm the null routing status, you can use the ip command as follows:
root@xdev:~#  ip route get
RTNETLINK answers: Network is unreachable

To drop entire subnet, type:
root@xdev:~# route add -net gw lo

Null routing using ip command

While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:

root@xdev:~# ip route add blackhole
root@xdev:~# ip route add blackhole from
root@xdev:~# ip rule add blackhole to
root@xdev:~# ip route

How to remove null routing or remove blocked IP address:

Now let's say that the attacker wasn't an attacker, or that you want to cleanup the routing table on your system.
For that, you can use the route delete command as follows:
root@xdev:~# route delete
root@xdev:~# route del -host reject

Or use NA command to delete route:
root@xdev:~# ip route delete dev eth0

Now let's kick some attackers of your Systems! ;)