Scribd Logo
Upload

Welcome to Scribd!

  • Mitigating Dos Attacks With A Null (Or Blackhole) Route On Linux A Guide On How To Lessen The Damage of A Dos Attack by Using A Null Route in Linux Written by Benjamin Cane On 2013/01/14

    Uploaded by

    IjazKhan
    21 views3 pages
    Dos

    Original Title

    Dos

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Dos

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views3 pages

    Mitigating Dos Attacks With A Null (Or Blackhole) Route On Linux A Guide On How To Lessen The Damage of A Dos Attack by Using A Null Route in Linux Written by Benjamin Cane On 2013/01/14

    Uploaded by

    IjazKhan
    Dos

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    PrintFriendly.

    com: Print web pages, create PDFs

    1 of 3

    http://www.printfriendly.com/print?url=http://bencane.com/2013/01/14/mitigating-dos-attacks-with-a...

    Mitigating DoS Attacks with a null (or Blackhole) Route on Linux A guide
    on how to lessen the damage of a DoS attack by using a null route in
    Linux Written by Benjamin Cane on 2013/01/14
    In a world where the Anonymous group is petitioning the US Government to make DDoS attacks a legal means of protest; For internet
    facing systems the threat of Denial of Service attacks are very real.
    The cold harsh reality of DoS attacks are that there is no way to stop them. While there are services out there that are designed to take the
    brunt of the attack for you these costs a significant amount of money (update:
    seems pretty decent). A small firms only choice
    when faced with a DoS attack is to simply ride through the attack with the least amount of damage possible.
    On a Linux/Unix system you can mitigate the effects of an attack by blocking the communication with the attacking ip addresses. You can
    either do this by creating
    or via a null route also known as a black-hole route.

    Which is better null routes or IPTables rules?


    The question of which is better NULL Routes or IPTables rules can be better described as "Which is more efficient for the system to
    traverse the iptables rule set or the routing table". This is somewhat going to depend on the system in question. If you have a system with
    thousands of routes defined in the routing table and nothing in the iptables rules than it might actually be more efficient to input an iptables
    rule.
    In most systems however the routing table is fairly small, in cases like this it is actually more efficient to use null routes. This is especially
    true if you already have extensive iptables rules in place.

    How to null routes work


    When you define a route on a Linux/Unix system it tells the system in order to communicate with the specified IP address you will need to
    route your network communication to this specific place.
    When you define a null route it simply tells the system to drop the network communication that is designated to the specified IP address.
    What this means is any TCP based network communication will not be able to be established as your server will no longer be able to send
    an SYN/ACK reply. Any UDP based network communication however will still be received; however your system will no longer send any
    response to the originating IP.

    5/25/2015 12:25 PM

    PrintFriendly.com: Print web pages, create PDFs

    2 of 3

    http://www.printfriendly.com/print?url=http://bencane.com/2013/01/14/mitigating-dos-attacks-with-a...

    In less technical terms this means your system will receive data from the attackers but no longer respond to it.

    Adding and Removing a null route


    How to add a null route
    In our example we are receiving unwanted SSH login attempts from 192.168.0.195
    root@server:~# netstat -na | grep :22
    tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
    tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED
    To add the null route we will use the ip command
    root@server:~# ip route add blackhole 192.168.0.195/32
    To verify the route is in place will will use ip route show
    root@server:~# ip route show
    default via 192.168.0.1 dev eth0 metric 100
    blackhole 192.168.0.195
    After a little while the established ssh connections will time out and all subsequent connections from the blocked ip will receive the
    following.
    baduser@attacker:~$ ssh 192.168.0.197
    ssh: connect to host 192.168.0.197 port 22: No route to host

    Removing a null route


    After the attack has subsided or in case you add the wrong ip you may want to remove the blackhole route. To do so we will use the ip
    command again.

    5/25/2015 12:25 PM

    PrintFriendly.com: Print web pages, create PDFs

    3 of 3

    http://www.printfriendly.com/print?url=http://bencane.com/2013/01/14/mitigating-dos-attacks-with-a...

    root@server:~# ip route del 192.168.0.195


    root@server:~# ip route show
    default via 192.168.0.1 dev eth0 metric 100

    Other uses for null routes


    While a null route may mainly be used to mitigate DoS attacks there are some other uses. Any time you want to prevent a system from
    talking to another system you can simply use null routes. I have used null routes to simulate a disaster recovery scenario while testing an
    automated failover system many times.

    5/25/2015 12:25 PM

    You might also like