blackhole routing

The black hole routes ensure that traffic destined
for the bogon networks will not pass the firewall, and will therefore leave
your Internet link and screening router unscathed. Further, because the
packet is simply dropped, the performance impact is quite low.

To add a black hole route, we utilize the route command. Here is an example
of a blackhole route for an RFC1918 network, 10/8.

route add 10.0.0.0 -netmask 255.0.0.0 8.8.8.1 -blackhole

Where 8.8.8.1 is the internal (intranet) IP address of our firewall. The
result of this route addition is that the firewall will silently discard
all packets destined for the RFC1918 network, 10/8. Be careful here,
however! Do not add blackhole routes for networks that you utilize in-
ternally. I recommend the following black hole routes, which should be
added to the end of /etc/init.d/inetinit. Remember to replace 8.8.8.1
with the IP address of the internal interface of your firewall.

route add 1.0.0.0 -netmask 255.0.0.0 8.8.8.1 -blackhole
route add 2.0.0.0 -netmask 255.0.0.0 8.8.8.1 -blackhole
route add 10.0.0.0 -netmask 255.0.0.0 8.8.8.1 -blackhole
route add 172.16.0.0 -netmask 255.240.0.0 8.8.8.1 -blackhole
route add 192.168.0.0 -netmask 255.255.0.0 8.8.8.1 -blackhole
route add 192.0.2.0 -netmask 255.255.255.0 8.8.8.1 -blackhole
route add 169.254.0.0 -netmask 255.255.0.0 8.8.8.1 -blackhole
route add 240.0.0.0 -netmask 240.0.0.0 8.8.8.1 -blackhole

Leave a Reply

Your email address will not be published. Required fields are marked *