Blackhole(null) route

mybox65 · June 14, 2023, 1:29am

If there is a packet destined for 100.100.100.100, it can be routed out using the default route as below. However, I want to block it in the main table.

I would like to ask if there is a command similar to "ip route add 100.100.100.100 via blackhole dev eth1"

# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         9.9.9.1         0.0.0.0         UG    0      0        0 eth2
0.0.0.0         8.8.8.1         0.0.0.0         UG    10     0        0 eth1
6.6.6.0         0.0.0.0         255.255.255.0   U     0      0        0 wg0
8.8.8.0         0.0.0.0         255.255.255.0   U     10     0        0 eth1
9.9.9.0         0.0.0.0         255.255.255.0   U     0      0        0 eth2
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 bond-bond1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
192.168.8.0     0.0.0.0         255.255.255.0   U     0      0        0 wg0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 wg0

VA1DER · June 14, 2023, 3:22am

The routing table is designed to route packets to make them deliverable - it was never intended to block packets. You could force route it to an interface that you know will never deliver them, like br-lan. But this really isn't the job of the routing table.

That is the job of netfilter. If you want packets to a particular destination dropped or ignored, that is easily accomplished with an nft rule.

lleachii · June 14, 2023, 4:18am

Don't tell an ISPs or traffic mitigation service that information - as they commonly use it to mitigate DDoS attacks. A firewall would use more CPUs.

Actually, I have a use case for a blackhole routes that include blocking and also for making a route for a whole /24 - in an instance where I further subnet and route the smaller ranges. This ensures packets for unused IPs/ranges don't forward elsewhere.

config route
        option interface 'in_network_x'
        option target 'xx.xx.xx.xx/24'
        option type 'blackhole'

This allows me to instantly use any additional IP - since it'll be a more-specific route than the /24, with no need to edit the firewall every time.

Yes. I have an example where I use to block as well - I've edited for your example:

config route
        option interface 'wan'
        option target '100.100.100.110'
        option netmask '255.255.255.255'
        option type 'blackhole'

VA1DER · June 14, 2023, 4:20am

I stand corrected. Thanks for the examples.

mybox65 · July 11, 2023, 7:56pm

ip route add blackhole 10.0.0.0/8
ip route add blackhole 172.16.0.0/12
ip route add blackhole 192.168.0.0/16
ip route add blackhole fc00::/7
ip route replace blackhole 10.0.0.0/0

lleachii · July 11, 2023, 8:05pm

Are you asking a question?

Btw, the range /0 means the whole Internet - I'm not sure you wanna use this.

I think this should be:

ip -6 route add blackhole fc00::/7

But why are you making this route?

_bernd · July 11, 2023, 8:48pm

It's not only ddos.
You can also on your edge router blackhole traffic for instance for the private IPv4 space and the IPv6 gua space as well. Also the 3 documentation networks.
Some invalid destinations get null routed from the Linux network stack anyway but rfc1918, GUA and test and documentation purpose networks need to be explicit blackholed.

In the Default Free Zone (DFZ) it's also considered good manner to filter these networks on export and on import filters.

_bernd · July 11, 2023, 9:07pm

@VA1DER : PS: ...

I just forgot.
Another really good example, why you would want to null route or blackhole a network. Especially your own network.

Consider a Small/Medium sized Business. You have 1 or 2 uplinks, from 1 or 2 ISP.
You also got addresses assigned by your ISP[s], or you (even) have Provider Independent IP Space, or just an IP Allocation from an RIR (RIPE, ARIN, etc.).

You just don't want that any traffic is exiting your network on a default route (if its present). But especially in these SMB environments, it is not uncommon, to just get a default route via BGP, and not the Full Table.

Ergo, you want to null route your own network.
Every other more specific network (from your allocation) has a more specific route, it will use. (That's where f.i. OSPFv2 or OSPFv3 comes into play. Or Babel, or OLSR[v2], RIP, IS-IS, ... how to distribute any (specific) network allocation used on each and every interface.)

But if your edge router ever sees a destination (within your allocation), and has no (more specific) route to use, the null route would null or blackhole this traffic more or less for free, ...

/* ... because your router is still a router and is good on routing, because it is a router... and stuff and magic is happening on the ASIC or your x86 is just fast and you are far below 20++ Gbit/s. (And even 100 GBit/s NICs are available and "just work" with GNU/Linux.) Therefor, you do not even need a firewall-rule for these kind of egress traffic. */