How to null routes work
When you define a route on a Linux/Unix system it tells the system in order to communicate with the specified IP address you will need to route your network communication to this specific place.
When you define a null route it simply tells the system to drop the network communication that is designated to the specified IP address. What this means is any TCP based network communication will not be able to be established as your server will no longer be able to send an SYN/ACK reply. Any UDP based network communication however will still be received; however your system will no longer send any response to the originating IP.
In less technical terms this means your system will receive data from the attackers but no longer respond to it.
Adding and Removing a null route
How to add a null route
In our example we are receiving unwanted SSH login attempts from 192.168.0.195
root@server:~# netstat -na | grep :22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED
To add the null route we will use the
root@server:~# ip route add blackhole 192.168.0.195/32
To verify the route is in place will will use
ip route show
root@server:~# ip route show default via 192.168.0.1 dev eth0 metric 100 blackhole 192.168.0.195
After a little while the established ssh connections will time out and all subsequent connections from the blocked ip will receive the following.
baduser@attacker:~$ ssh 192.168.0.197 ssh: connect to host 192.168.0.197 port 22: No route to host
Removing a null route
After the attack has subsided or in case you add the wrong ip you may want to remove the blackhole route. To do so we will use the
ip command again.
root@server:~# ip route del 192.168.0.195 root@server:~# ip route show default via 192.168.0.1 dev eth0 metric 100