# The Cyber-Survival Guide - by yours truly.

## How to block a DoS attack using 'null route'

PS the below events are just an example and was not an event that took place but are actions you can take in the case of a DoS attack.

1. Check for a high load.

This can be done by running the 'uptime' command it should look like this:

xxx load average: 15.08, 18.30, 20.63

1. Check who is connected.

if you are not sure if it is a DOS attack, or just a single IP abusing the connection? Issue the following command to list all the IP addresses connected to your server

netstat -tn 2>/dev/null | grep :80 | awk '{print \$5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head


if you want to change the port to check where it says “grep :80” change the number to the desired port, the output should look like this:

215 122.163.226.243

189 114.198.236.100

156 120.63.179.245

 38 141.0.9.20
37 49.248.0.2
37 153.100.131.12
31 223.62.169.73
30 65.248.100.253
29 203.112.82.128
29 182.19.66.187


here are the connected IPs and as you can see the top three which I have labeled are taking 150+ connections which should not be the case, what are they trying to do? lets take a look

1. null route
215 122.163.226.243
189 114.198.236.100
156 120.63.179.245


I believe the above IPs are the cause of the high load issue, let's null route these IPs so that all the incoming connections from those 3 IPs will be dropped or ignored and see if the problem is solved.

there are 2 commands you can use one is an alternative

Null route command:

route add 122.163.226.243 gw 127.0.0.1 lo
route add 114.198.236.100 gw 127.0.0.1 lo
route add 120.63.179.245 gw 127.0.0.1 lo


Alternative command:

route add -host 122.163.226.243 reject


Do not use the IPs entered in the first section as they are just an example change them to the IP/s that have a high load

Then Uses 'netstat -nr' to display all the routes, to make sure they are added to the route table, the output should look like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
114.198.236.100 127.0.0.1       255.255.255.255 UGH       0 0          0 lo
120.63.179.245  127.0.0.1       255.255.255.255 UGH       0 0          0 lo
122.163.226.243 127.0.0.1       255.255.255.255 UGH       0 0          0 lo


Now check the load average to see if the problem has solved, the output should look like this (not exactly):

load average: 1.08, 5.30, 30.63 | as you can see the numbers are much lower than beforehand

For our final step check all the connected IPs again, to see if the attacker’s IPs are gone:

 40 141.0.9.20
37 49.248.0.2
36 153.100.131.12
31 223.62.169.73
25 65.248.100.253
29 203.112.82.128
29 182.19.66.187
38 142.0.9.20
28 141.121.9.20
38 141.0.9.201


As you can see they are gone which means this was a success, now this is not a fix that will always work as the route of the problem, if it is just a 'DoS attack' the chances are it will be fixed though and your problem is now solved.