How to block Denial of Service (DoS) with null route

By On 12 February 2019 In Home, Linux

On a Linux/Unix system you can mitigate the effects of an attack by blocking the communication with the attacking ip addresses. You can either do this by creating IPTables Rules or via a null route also known as a black-hole route. This article will help you to block Denial of Service (DoS) with null route on server.

null route

See Also:

LIST ALL IP ADDRESSES CONNECTED TO YOUR SERVER

Verify Who is Connected?

First verify the load on server, If the load on server looks like unexpected then execute mention command to verify the connections. It will help you understand that load on server is normal or is there any DoS attach.

# netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

315  46.101.235.31 
410  217.73.208.150 
30   178.62.134.179 
12   63.142.253.205 
5    212.145.147.225

We are assuming that below 2 IP are abnormal.

315  46.101.235.31 
410  217.73.208.150

null route

We are believing that above 2 IPs are root cause of high load on server. Let drop or ignore the IPs using null route to verify that is these IPs are the cause of high load.

# route add 46.101.235.31 gw 127.0.0.1 lo 
# route add 217.73.208.150 gw 127.0.0.1 lo

Note:
There is an alternative way also to null route the IPs.

# route add -host 46.101.235.31 reject 
# route add -host 217.73.208.150 reject

Now make sure using mention connection are rejected or not

# netstat -nr

Kernel IP routing table Destination     Gateway         Genmask        Flags   MSS Window  irtt Iface 
46.101.235.31   127.0.0.1       255.255.255.255 UGH       0 0          0 lo 217.73.208.150  127.0.0.1       255.255.255.255 UGH       0 0          0 lo

Now after rejecting the IPs using null route wait for the while and verify the load of server.

# top

load average: 1.08, 5.30, 30.63

Just verify that attackers are not using any another IP DoS.

#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

30   178.62.134.179
12   63.142.253.205
5    212.145.147.225

Delete null route

You can also remove the existing null route IP’s if require.

# route delete 217.73.208.150

Enjoy it!

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.