1. Home
  2. Cisco Systems
  3. ip route to null0 blacklisting

ip route to null0 blacklisting

Suddenly, I feel very much like a newbie...

For quite some time, our perimeter 2600 T-1 router (12.1) has had ip route entries directing Chinese IPs to null0. For example: ip route 59.32.0.0 255.224.0.0 Null0.

The thought was any web traffic to or from these IPs would be discarded with less CPU burden than running an ACL, while shielding end users from potential malware hosted in a geographic area where we have no business contact. Or at least, I had smuggly thought so.

Ping and traceroute to these IPs fail as expected, but now I find that clients going to one of these IPs with a web browser has no problem.

Why does the router with the ip route to null0 command line permit these packets to flow through?

Thanks,

Benoit

Reply to
bnt
Loading thread data ...

You probably have a more specific route than the null0 route on the network that is routing that traffic to the web server.

Chris.

Reply to
Chris

do a show ip route to the IP address used on the client browser to see what route is dispalyed

Reply to
Merv

it does not. But web can come via a proxy-server - verify that your clients do not have internetaccess, unless they use YOUR proxy-server, and only that. The on your proxy-server block the URLs./country-IPs

HTH Martin Bilgrav

Reply to
Martin Bilgrav

Clearly there is another path to these addresses from the clients. Quite possibly a more specific route is matching the destination, or there is a different application route (ie. proxies, NAT, etc) to the addresses you are null routing.

On another note, I believe the practice of null routing large portions of the Internet is wrong and is ill-advised. Contrary to popular believe, the vast majority of attacks are not sourcing from .CN / .TW or .KR. In fact a significant number of attacks are coming from US cable and DSL lines that would likely not make sense to block.

Null routing connectivity between domains breaks the intention of the Internet, and makes it very difficult for engineers and admins to fix; as can be pointed out as you are still having issues in the configuration.

If your router can't handle the load, then get your upstream to filter the attacks, or install the necessary safegaurds at an application layer to block SPAM / SPIT / and other nastiness; but do not install null routes for large portions of the Internet. Some poor engineer is going to accidentally advertise this space and then we all suffer.

Kind regards, Truman

Reply to
tboyes

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.