• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3605
  • Last Modified:

create a null route

I have tried to create a null route in XP, but it doesn't work.  Can anyone tell me what I am doing wrong?

route add 1.1.1.1 127.0.0.1
The route addition failed: The parameter is incorrect.
0
bryanlloydharris
Asked:
bryanlloydharris
1 Solution
 
bryanlloydharrisAuthor Commented:
Yes but how to create the null route for Windows XP?  (Increasing points to 150.)
0
 
davy999Commented:
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
robertsearle2Commented:
I have seen the below command posted on this site
route add 1.1.1.1 mask 255.255.255.255 127.0.0.1

But alas the command as typed *does not work* on windows XP or 2003.

We had a *person* flooding our web cluster with connects to a CGI.

We needed to block his IP in a hurry to stop the attack.
We didn't have access to the router at the time.

After several failed attempts at creating a "NULL" route on the servers we simply added the offending IP to the network card.

using netstat -an we can see the incoming connections attempts but because the tcp connection can not be built back to the client the CGI doesn't seem to execute.

I know this doesn't stop them from coming at us from another IP.
I am not sure what other problems might arise from doing this and I know we need to come up with a more elegant solution, but it worked.

Looking forward to comments.
-- Peace
0
 
bryanlloydharrisAuthor Commented:
Robertsearle2, Can you tell me the command which worked?  I'm talking about the one when you say "added the offending IP to the network card."

Is this a command I can add with the route, or do you mean some other way?
0
 
robertsearle2Commented:
oh my, I just created a very detailed explination and the post didn't take.
I don't have the time to do it again but here is the general idea.


Assume the server being attack has an internal IP address and is being NAT'd.
Server has an IP address of 10.30.1.30.
Offending IP address is 74.23.234.19 ( random IP )

In control panel there is a Network Connection icon.
Double click it, properties, select TCP/IP, clcik properties, click advanced, under the IP addresses click add, enter the offending IP address, in this example 74.23.234.19 and a mask of 255.255.255.0. ( it wouldn't let me add a mask of 255.255.255.255 ). After clciking ok a couple times the offending IP address is added to the routing table and traffic stopped being sent back to them via the default gateway.

This is less then elegant, wont stop a distributed attack and wont stop the offender from coming at you from another IP, but it thwarted the bunghole that scripted a couple thousand connections to our servers.

--Peace
0
 
robertsearle2Commented:
To more directly answer your question.
It was not a command line process.
I used the windows GUI.
I have never had the need to script IP administration on a windows box.

--Peace
0
 
bryanlloydharrisAuthor Commented:
I think I see, thank you for the advice.
0
 
Sune1337Commented:
i think i may have solved this in a better way. i think it's better cause it allows ip's to be blocked by batch scripts. (or a service as in my case)

say my local network is 192.168.105.0/24. also say 192.168.105.99 is not used, so in theory i should be able to  "route x.x.x.x 192.168.105.99" and traffic for x.x.x.x should get lost. windows somehow ignores this and sends the packets to default gateway anyway.

however, if i first "arp -s 192.168.105.99 11-11-11-11-11-11-11", and then  "route x.x.x.x 192.168.105.99" then the packets actually seems to get lost; well, syn packets are probably sent to the lan; didnt sniff traffic to check.

please note that even if i add a static arp entry, windows forgets about it after a restart. i know static routes is remembered during restarts, and if routes exists to a ip, you cant add a static arp entry to that ip, so it doesnt seem like a good idea to do "static null routes", since you just have to delete them after a reboot just to add a static arp entry, and then re-route the blocked ip's.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now