How to block Denial of Service (DoS) with null route
This article is described how I find out the Denial of Service (DoS) IP and null route it, to solve the high load issue on my server.
## 1. High Load
Recently, the server has hit an abnormally high load, CPU usage hits, average 15-20%.
```
#top
load average: 15.08, 18.30, 20.63
```
## 2. Who is Connected?
Not sure if this a DOS attack, or just a single IP abuse the connection? Issue following command to list all the IP addresses connected to my server.
```
#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
38 141.0.9.20
37 49.248.0.2
37 153.100.131.12
31 223.62.169.73
30 65.248.100.253
29 203.112.82.128
29 182.19.66.187
```
Below 3 IPs are taking 150+ connections, which is really abnormal, what are they trying to do?
```
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
```
P.S Google above IPs, 2 are from India, 1 from Pakistan.
## 3. null route
I believed above 3 IPs are the root cause of the high load issue, let null route those IPs, so that all incoming connections from those 3 IPs will be dropped or ignored.
null route command
```
route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo
```
Alternative Command
You can also use following command to null route the IPs, both are doing the same thing.
```
route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject
```
Uses netstat -nr to display all the routes, to make sure it is added into the route table.
```
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
114.198.236.100 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
120.63.179.245 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
122.163.226.243 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
```
Done, wait a few seconds, and check the server load again, it’s back to normal now.
```
#top
load average: 1.08, 5.30, 30.63
```
Check all connected IP again, those attacker’s IPs are gone:
```
#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
40 141.0.9.20
37 49.248.0.2
36 153.100.131.12
31 223.62.169.73
25 65.248.100.253
29 203.112.82.128
29 182.19.66.187
38 142.0.9.20
28 141.121.9.20
38 141.0.9.201
```
Done.
## 4. Delete null route
To delete existing null route IPs, uses route delete.
```
route delete 122.163.226.243
route delete 114.198.236.100
route delete 120.63.179.245
```
CSF Firewall
To prevent Denial of Service (DoS), try setup CSF and configure the CT_LIMIT to limit the number of connections from IP to access server.
[via](https://mkyong.com/linux/how-to-block-attackers-ip-with-null-route-command/)
## 1. High Load
Recently, the server has hit an abnormally high load, CPU usage hits, average 15-20%.
```
#top
load average: 15.08, 18.30, 20.63
```
## 2. Who is Connected?
Not sure if this a DOS attack, or just a single IP abuse the connection? Issue following command to list all the IP addresses connected to my server.
```
#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
38 141.0.9.20
37 49.248.0.2
37 153.100.131.12
31 223.62.169.73
30 65.248.100.253
29 203.112.82.128
29 182.19.66.187
```
Below 3 IPs are taking 150+ connections, which is really abnormal, what are they trying to do?
```
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245
```
P.S Google above IPs, 2 are from India, 1 from Pakistan.
## 3. null route
I believed above 3 IPs are the root cause of the high load issue, let null route those IPs, so that all incoming connections from those 3 IPs will be dropped or ignored.
null route command
```
route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo
```
Alternative Command
You can also use following command to null route the IPs, both are doing the same thing.
```
route add -host 122.163.226.243 reject
route add -host 114.198.236.100 reject
route add -host 120.63.179.245 reject
```
Uses netstat -nr to display all the routes, to make sure it is added into the route table.
```
# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
114.198.236.100 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
120.63.179.245 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
122.163.226.243 127.0.0.1 255.255.255.255 UGH 0 0 0 lo
```
Done, wait a few seconds, and check the server load again, it’s back to normal now.
```
#top
load average: 1.08, 5.30, 30.63
```
Check all connected IP again, those attacker’s IPs are gone:
```
#netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
40 141.0.9.20
37 49.248.0.2
36 153.100.131.12
31 223.62.169.73
25 65.248.100.253
29 203.112.82.128
29 182.19.66.187
38 142.0.9.20
28 141.121.9.20
38 141.0.9.201
```
Done.
## 4. Delete null route
To delete existing null route IPs, uses route delete.
```
route delete 122.163.226.243
route delete 114.198.236.100
route delete 120.63.179.245
```
CSF Firewall
To prevent Denial of Service (DoS), try setup CSF and configure the CT_LIMIT to limit the number of connections from IP to access server.
[via](https://mkyong.com/linux/how-to-block-attackers-ip-with-null-route-command/)
暂无回复
登录 或 注册 后可回复。
