November 2007
Beginner
642 pages
15h 43m
English
Content preview from Linux Networking CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
6.13. Blackholing Routes with Zebra
Problem
You are getting hit hard by a spammer or other pest, and you would like to drop all traffic from them at your router, instead of hassling with content or packet filters.
Solution
You can set null routes in zebra.conf with ip:
ip route 22.33.44.55/24 null0
You may also do this in a telnet session:
$ telnet localhost 2601
router1> enable
router1# configure terminal
router1(config)# ip route 22.33.44.55/24 null0Another way to do the same thing is with this command:
router1(config)# ip route 22.33.44.55/24 blackholeA variation on this is to use the reject option instead, which sends a
"Network is unreachable" error:
router1(config)# ip route 22.33.44.55/24 rejectChange your mind with a no
command:
router1(config)# no ip route 22.33.44.55/24 rejectDiscussion
This blocks everything in the netblock that you specify, so you run the risk of blocking wanted traffic as well as unwanted if you cast your net too widely. Use ipcalc to tell you exactly which addresses you are blocking. CIDR notation lets you whittle it finely; for example, 22.33.44.55/32 is a single host address. 22.33.44.55/31 is two hosts, and 22.33.44.55/29 is six hosts. (Yes, ipcalc even calculates fake addresses.) 22.33.44.55/24 means you're blocking 254 addresses, and /8 is 16,777,214 addresses.
The incoming packets are not blocked; instead, nothing is sent back to the sender to tell them "neener neener, you're being dev-nulled." Or, to put it in more technical terms, the blackhole option ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.