Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Black Hole Routes --> Null0

Black Hole Routes --> Null0 10 years 3 months ago #14969

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
I was reading the NSA's guide to locking down Cisco Routers and I came across an interesting yet brief section on Black Hole Routes.
The simple way to configure null routing is to set up a null interface and create a static route that directs the undesirable packets to it. For example, to block packets with a destination address in the reserved range of 10.0.0.0/8 network, the following configuration would work:
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface null0
Central(config-if)# no ip unreachables
Central(config-if)# exit
Central(config)# ip route 10.0.0.0 255.0.0.0 null0
Central(config)# exit
Central#
To null route additional IP addresses in the future, you would simply add additional static routes, using ip route statements as shown above.
It is important to turn off the generation of ICMP unreachable messages on the null0 interface. Because the null0 interface is a packet sink, packets sent there will never reach their intended destination. On a Cisco router, the default behavior when a packet cannot be delivered to its intended destination is to send the source address an ICMP unreachable message. If an administrator was utilizing null routing to block a denial of service attack, this would cause the router trying to block the attack to ultimately flood its own upstream with ICMP unreachable messages. For every packet that was filtered, the router would send a message back to the host originating the attack. This can compound the damage of the initial attack. When you disable ICMP unreachable messages, the offending packets will be dropped silently.
It seems that this would be a better method than setting up deny ACL's on cisco devices. However, the only "real world" situations I can come up with its use are in ISP situations using BGP.

Does anybody else have any creative uses for this method? Or is there a reason it is not used that much on private networks?
The administrator has disabled public write access.

Re: Black Hole Routes --> Null0 10 years 3 months ago #14970

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
The administrator has disabled public write access.

Re: Black Hole Routes --> Null0 10 years 3 months ago #14978

  • d_jabsd
  • d_jabsd's Avatar
  • Offline
  • Distinguished Member
  • Posts: 153
  • Karma: 0
I've used black hole routes before to stop spam. While the packet can get to the mail server, the blackhole route prevents the response from getting back to the originator, killing the ability to deliver the message.

I've also seen it used for user protection, though it can turn into a maintenance nightmare. If no one on the network has a valid reason to hit a foreign network, you could use blackholes to null route entire blocks... example: much of the spam and viruses originate in China and Soviet Union, so you could use blackholes to null route the APNIC or RIPE netblocks.

You do need to be careful not to blackhole valid networks, but it works well in a pinch.
The administrator has disabled public write access.

Re: Black Hole Routes --> Null0 10 years 3 months ago #14985

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
I was thinking about setting up Null routes in my DMZ for that exact purpose. Is there a good, trustable database of CIDR blocks that can be blacklisted or null-routed?
The administrator has disabled public write access.

Re: Black Hole Routes --> Null0 10 years 3 months ago #14986

  • jwj
  • jwj's Avatar
  • Offline
  • Senior Member
  • Posts: 350
  • Karma: 0
Yes, from one of my favorite sites on network security, Team Cymru! They have a page that explains bogon routes (those that have not been assigned by IANA), and links to many resources and tools. Other than implementing these, you could study what networks are attacking yours, and see if blackholing them as well would be useful. Sometimes I wish I could block large parts of China and Korea (not because I don't like them, it's just that's were lots of spam is coming from for me).
-Jeremy-
The administrator has disabled public write access.

Re: Black Hole Routes --> Null0 10 years 3 months ago #14989

  • drizzle
  • drizzle's Avatar
  • Offline
  • Distinguished Member
  • Posts: 138
  • Karma: 0
Thanks for the link Jeremy.

So, with that being said, would it be safe to null-route all the IANA reserved addresses from:
http://www.cymru.com/Documents/bogon-bn-agg.txt

Obviously, I would have to exclude those addresses which may be found on my internal network. I know this isn't some panacea but it seems like it would be considered a good practice on any network. I guess I'm just surprised I haven't stumbled across it before.
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.084 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup