LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Linux Blackhole Tutorial - Adding and Removing A Null Route

In the world of systems administration, having the commands to add or remove a blackhole / nullroute a host or problematic IP address can be very useful. So in this simple, yet useful tutorial, we’ll cover how to exactly go about doing this on nearly any type of Linux OS!

How to add a blackhole nullroute:

For this example, let’s assume that we are receiving unwanted SSH login attempts from 192.168.0.195 .

root@server:~# netstat -na | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.0.197:22 192.168.0.195:57776 ESTABLISHED

To add the blackhole for 192.168.0.195:

root@server:~# ip route add blackhole 192.168.0.195/32

To verify the route is in place will will use “ip route show “:

root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100
blackhole 192.168.0.195

Subsequently, connections to and from that IP will fail:

root@attacker:~$ ssh 192.168.0.2
ssh: connect to host 192.168.0.2 port 22: No route to host

Removing a blackhole:

Typically, blackholes are useful when your server is under attack. After the attack has subsided, or you wish to remove the blackhole you can do so as follows:

root@server:~# ip route del 192.168.0.195
root@server:~# ip route show
default via 192.168.0.1 dev eth0 metric 100

Frank

4 Comments

  1. Jacob:

    Why not just use fail2ban?

    April 8, 2019 @ 6:32 pm | Reply
    • Jacob:

      @Jacob: Why not just write us a tutorial on using fail2ban to block ALL network traffic to a server.

      November 27, 2019 @ 1:43 pm | Reply
  2. Thank you for the article. Very helpful.

    November 28, 2019 @ 12:39 am | Reply
  3. Odo:

    Can I upload like 50,000 CIDR ranges from a file to be routed to blackhole instead of using FireWall IPTABLES?

    If so, what would be SSH CLI to do so, given I upload a file.txt to the directory, and that files lists CIDR type IP ranges one below the other (no comma?) and when single IP get /32 notation: X.X.X.X/32

    What would be a command to dump all?
    To run again on a revised file?

    Can this tecnhique be used to block an ISP using it’s source code, as AS4444?

    What are it’s record limit, if any?

    What resources does it use uloading to server memory?

    January 21, 2021 @ 4:32 pm | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *