Webhosting Blog

Adding a null route in linux

Null routing an IP can be of great help while preventing a server against a DDoS attack.

In order to null route an IP you can do the following:

1) Login to the server as root.

2) Issue following command

[root@server~]# route add XX.XX.XX.XX gw lo


[root@server~]# route add -host XX.XX.XX.XX reject

Considering the XX.XX.XX.XX is the IP to be null routed.

3) In order to check the above configuration you can issue following command.

[root@server~]# route -n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface UH    0      0        0 eth0
XX.XX.XX.XX    –      !H    0      –        0 –

Now you can observer the IP XX.XX.XX.XX with “-” as it’s gateway. This will cause your server to drop all response traffic to this IP.

4) To confirm the null routing status, use ip command as follows:

[root@server~]# ip route get XX.XX.XX.XX

RTNETLINK answers: Network is unreachable

5) Also you can drop an entire subnet with following:

Drop entire subnet
[root@server~]# route add -net gw lo


[root@server~]# route add -net reject

6) In order to remove the null route to the IP  use following command:

[root@server~]# route delete XX.XX.XX.XX


3 responses

  1. hey. thanks!

    September 24, 2011 at 4:18 am

  2. Eddie

    Thanks for the reject stuff.

    Careful though, when you want to delete a null route that has been entered with the reject statement, you can’t just do a route delete. You have to use the reject statement in the delete too:

    route delete xx.xx.xx.xx reject


    November 24, 2011 at 4:44 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s