Mitigating DoS Attacks with a null (or Blackhole) Route on Linux

How to null routes work

When you define a route on a Linux/Unix system it tells the system in order to communicate with the specified IP address you will need to route your network communication to this specific place.

When you define a null route it simply tells the system to drop the network communication that is designated to the specified IP address. What this means is any TCP based network communication will not be able to be established as your server will no longer be able to send an SYN/ACK reply. Any UDP based network communication however will still be received; however your system will no longer send any response to the originating IP.

In less technical terms this means your system will receive data from the attackers but no longer respond to it.

Adding and Removing a null route

How to add a null route

In our example we are receiving unwanted SSH login attempts from 192.168.0.195

 root@server:~# netstat -na | grep :22
 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
 tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED

To add the null route we will use the ip command

 root@server:~# ip route add blackhole 192.168.0.195/32

To verify the route is in place will will use ip route show

 root@server:~# ip route show
 default via 192.168.0.1 dev eth0 metric 100
 blackhole 192.168.0.195

After a little while the established ssh connections will time out and all subsequent connections from the blocked ip will receive the following.

 baduser@attacker:~$ ssh 192.168.0.197
 ssh: connect to host 192.168.0.197 port 22: No route to host

Removing a null route

After the attack has subsided or in case you add the wrong ip you may want to remove the blackhole route. To do so we will use theip command again.

 root@server:~# ip route del 192.168.0.195
 root@server:~# ip route show
 default via 192.168.0.1 dev eth0 metric 100
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s