Change website

From Jan 16 2015,


All post content will be move to we's offical website with many content...

Can access website here: http://justox.com

Thanks for your visit!

Thursday, 19 December 2013

How To Add a nullroute (blackhole)

In computer networking, a null route or blackhole route is a network route that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.
Null routing has an advantage over classical firewalls since it is available on every potential network router (including all modern operating systems), and adds virtually no performance impact. Due to the nature of high-bandwidth routers, null routing can often sustain higher throughput than conventional firewalls. For this reason, null routes are often used on high-performance core routers to mitigate large-scale denial-of-service attacks before the packets reach a bottleneck, thus avoiding collateral damage from DDoS attacks — although the target of the attack will be inaccessible to anyone.

Nullrouting on BSD (FreeBSD, NetBSD, OpenBSD)
To null route a single IP address (192.168.0.200), use:
1route add -host 192.168.0.200 127.0.0.1 -blackhole
To null route a network (192.168.0.0/24), use:
1route add -net 192.168.0.0/24 127.0.0.1 -blackhole
If you would rather generate a "Destination Host Unreachable" ICMP response instead of blackholing the traffic, replace -blackhole with -reject:
1route add -host 192.168.0.200 127.0.0.1 -reject
2route add -net 192.168.0.0/24 127.0.0.1 -reject
To enable the nullroutes on boot, add them to /etc/rc.conf:
static_routes="null1 null2"
route_null1="-host 192.168.0.1 127.0.0.1 -blackhole"
route_null2="-net 192.168.0.0/24 127.0.0.1 -blackhole"
Nullrouting on Cisco IOS
1ip route 192.168.0.0 255.255.0.0 Null0
Nullrouting on Junipper Networks' JunOS
1set routing-options static route 192.168.0.0/24 discard
Nullrouting on Linux (iproute2)
1ip route add blackhole 192.168.0.200/32
Nullrouting on Solaris
1route add -host 192.168.0.200 127.0.0.1 -blackhole
2route add -net 192.168.0.0/24 127.0.0.1 -blackhole
Nullrouting on Windows
Windows XP/Vista/7 does not support reject or blackhole arguments via route, thus an unused IP address (e.g. 192.168.0.205) must be used as the target gateway:
1route -p add 192.168.0.200 MASK 255.255.255.255 192.168.0.205
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)