Wednesday, February 4, 2015

HOWTO drop or block Attackers IP Addresses with null routes on Linux

If someone is trying to attack your Linux System, you can drop the attacker IP using IPtables or you can use the route or ip command to null route unwanted traffic.
A "null route" (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called "Blackhole Filtering".

You can "nullroute": stop various attacks coming from a single IP (spammers or hackers) using the following methods on a Linux based system:

Nullroute IP using route command

Let's suppose that the following IP is a bad one: 178.137.163.126. Then you can type the following command:
root@xdev:~# route add 178.137.163.126 gw 127.0.0.1 lo

You can verify it with the following commands:
root@xdev:~# netstat -nr
OR
root@xdev:~# route -n

You can also reject a target:
root@xdev:~# route add -host 178.137.163.126 reject

To confirm the null routing status, you can use the ip command as follows:
root@xdev:~#  ip route get 178.137.163.126
RTNETLINK answers: Network is unreachable

To drop entire subnet 192.67.16.0/24, type:
root@xdev:~# route add -net 192.67.16.0/24 gw 127.0.0.1 lo


Null routing using ip command

While traversing the RPDB, any route lookup which matches a rule with the blackhole rule type will cause the packet to be dropped. No ICMP will be sent and no packet will be forwarded. The syntax is follows for the ip command:

root@xdev:~# ip route add blackhole 202.54.5.2/29
root@xdev:~# ip route add blackhole from 202.54.1.2
root@xdev:~# ip rule add blackhole to 10.18.16.1/29
root@xdev:~# ip route


How to remove null routing or remove blocked IP address:

Now let's say that the attacker wasn't an attacker, or that you want to cleanup the routing table on your system.
For that, you can use the route delete command as follows:
root@xdev:~# route delete 178.137.163.126
OR
root@xdev:~# route del -host 178.137.163.126 reject

Or use NA command to delete route:
root@xdev:~# ip route delete 1.2.3.4/26 dev eth0

Now let's kick some attackers of your Systems! ;)