Skip to main content

Black Hole Routes --> Null0

More
18 years 5 months ago #14969 by drizzle
I was reading the NSA's guide to locking down Cisco Routers and I came across an interesting yet brief section on Black Hole Routes.

The simple way to configure null routing is to set up a null interface and create a static route that directs the undesirable packets to it. For example, to block packets with a destination address in the reserved range of 10.0.0.0/8 network, the following configuration would work:
Central# config t
Enter configuration commands, one per line. End with CNTL/Z.
Central(config)# interface null0
Central(config-if)# no ip unreachables
Central(config-if)# exit
Central(config)# ip route 10.0.0.0 255.0.0.0 null0
Central(config)# exit
Central#
To null route additional IP addresses in the future, you would simply add additional static routes, using ip route statements as shown above.
It is important to turn off the generation of ICMP unreachable messages on the null0 interface. Because the null0 interface is a packet sink, packets sent there will never reach their intended destination. On a Cisco router, the default behavior when a packet cannot be delivered to its intended destination is to send the source address an ICMP unreachable message. If an administrator was utilizing null routing to block a denial of service attack, this would cause the router trying to block the attack to ultimately flood its own upstream with ICMP unreachable messages. For every packet that was filtered, the router would send a message back to the host originating the attack. This can compound the damage of the initial attack. When you disable ICMP unreachable messages, the offending packets will be dropped silently.

It seems that this would be a better method than setting up deny ACL's on cisco devices. However, the only "real world" situations I can come up with its use are in ISP situations using BGP.

Does anybody else have any creative uses for this method? Or is there a reason it is not used that much on private networks?
More
18 years 5 months ago #14970 by drizzle
More
18 years 5 months ago #14978 by d_jabsd
I've used black hole routes before to stop spam. While the packet can get to the mail server, the blackhole route prevents the response from getting back to the originator, killing the ability to deliver the message.

I've also seen it used for user protection, though it can turn into a maintenance nightmare. If no one on the network has a valid reason to hit a foreign network, you could use blackholes to null route entire blocks... example: much of the spam and viruses originate in China and Soviet Union, so you could use blackholes to null route the APNIC or RIPE netblocks.

You do need to be careful not to blackhole valid networks, but it works well in a pinch.
More
18 years 5 months ago #14985 by drizzle
I was thinking about setting up Null routes in my DMZ for that exact purpose. Is there a good, trustable database of CIDR blocks that can be blacklisted or null-routed?
More
18 years 5 months ago #14986 by jwj
Yes, from one of my favorite sites on network security, Team Cymru! They have a page that explains bogon routes (those that have not been assigned by IANA), and links to many resources and tools. Other than implementing these, you could study what networks are attacking yours, and see if blackholing them as well would be useful. Sometimes I wish I could block large parts of China and Korea (not because I don't like them, it's just that's were lots of spam is coming from for me).

-Jeremy-
More
18 years 5 months ago #14989 by drizzle
Thanks for the link Jeremy.

So, with that being said, would it be safe to null-route all the IANA reserved addresses from:
www.cymru.com/Documents/bogon-bn-agg.txt

Obviously, I would have to exclude those addresses which may be found on my internal network. I know this isn't some panacea but it seems like it would be considered a good practice on any network. I guess I'm just surprised I haven't stumbled across it before.
Time to create page: 0.132 seconds