How to block Denial of Service (DoS) with null route

Share It!

On a Linux/Unix system you can mitigate the effects of an attack by blocking the communication with the attacking ip addresses. You can either do this by creating IPTables Rules or via a null route also known as a black-hole route. This article will help you to block Denial of Service (DoS) with null route on server.

See Also:

Verify Who is Connected?

First verify the load on server, If the load on server looks like unexpected then execute mention command to verify the connections. It will help you understand that load on server is normal or is there any DoS attach.

# netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
315  46.101.235.31 
410 217.73.208.150
30 178.62.134.179
12 63.142.253.205
5 212.145.147.225

We are assuming that below 2 IP are abnormal.

315  46.101.235.31 
410 217.73.208.150

null route

We are believing that above 2 IPs are root cause of high load on server. Let drop or ignore the IPs using null route to verify that is these IPs are the cause of high load.

# route add 46.101.235.31 gw 127.0.0.1 lo 
# route add 217.73.208.150 gw 127.0.0.1 lo

Note:
There is an alternative way also to null route the IPs.

# route add -host 46.101.235.31 reject 
# route add -host 217.73.208.150 reject

Now make sure using mention connection are rejected or not

# netstat -nr
Kernel IP routing table Destination     Gateway         Genmask        Flags   MSS Window  irtt Iface 
46.101.235.31 127.0.0.1 255.255.255.255 UGH 0 0 0 lo 217.73.208.150 127.0.0.1 255.255.255.255 UGH 0 0 0 lo

Now after rejecting the IPs using null route wait for the while and verify the load of server.

# top

load average: 1.08, 5.30, 30.63

Just verify that attackers are not using any another IP DoS.

#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
30   178.62.134.179
12   63.142.253.205
5    212.145.147.225

Delete null route

You can also remove the existing null route IPs if require.

# route delete 217.73.208.150

Enjoy it!

Leave a Reply

Your email address will not be published.