Skip to main content

Null Routes on Cisco ASA

By January 27, 2016September 11th, 2020Best Practices, Blog, Cisco

Null routes are a great way to limit traffic from troubling networks without increasing your firewall Access Control Lists (ACL), which in turn will increase both the total CPU usage of the firewall and the delay of all traffic through the firewall. While just adding a line or two to the INBOUND/OUTBOUND ACL will not have much impact. When people are looking at blocking hundreds of potential problem networks, the null route is a much better solution.

First off this is an approximation to a Null route, due to the fact that the ASA has to have a defined interface for all its routes.

So we will be using the outside interface, but just using localhost IP (127.0.0.1) as the gateway address.

For this example I will be using a real hacker attacking my inside Linux server. I see I have 19 failed ssh attacks from the following IP: 193.104.41.53

Aug 16 21:12:35 li281-141 sshd[5775]: Invalid user admin from 193.104.41.53

Aug 16 21:41:24 li281-141 sshd[6138]: Failed password for invalid user pi from 193.104.41.53 port 22059 ssh2

Aug 16 22:24:18 li281-141 sshd[6641]: Failed password for root from 193.104.41.53 port 18919 ssh2

So now I found I bad guy, and I also know they are just pecking around, because they keep changing the username they are trying to attack.

So I could add a special firewall rule, but I get ten of these a week, so I have thousands. So the next step is to see where the hacker is coming from. For this I use one of the public whois servers.

https://www.ip-address.org/tracer/ip-whois.php

By doing a lookup I find out the hacker is from Moldova, I also find out there is a whole /24 network that they might attack me from.

Whois Information:

        Results for 193.104.41.53 :

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See https://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.

%       To receive output for a database update, use the “-B” flag.

% Information related to ‘193.104.41.0 – 193.104.41.255’

% No abuse contact registered for 193.104.41.0 – 193.104.41.255

inetnum:         193.104.41.0 – 193.104.41.255

netname:         VVPN-NET

descr:         PE Voronov Evgen Sergiyovich

country:       MD

org:             ORG-PESV2-RIPE

admin-c:         ESV1-RIPE

tech-c:           ESV1-RIPE

status:           ASSIGNED PI

mnt-by:           VVPN-MNT

mnt-by:           RIPE-NCC-END-MNT

mnt-routes:       VVPN-MNT

mnt-domains:     VVPN-MNT

created:         2009-10-12T11:34:50Z

last-modified:   2015-06-01T15:18:26Z

source:         RIPE # Filtered

organisation:     ORG-PESV2-RIPE

org-name:       PE Voronov Evgen Sergiyovich

org-type:         OTHER

descr:         PE Evgen Sergeevich Voronov

address:       25 October street, 118-15

address:         Tiraspol, Transdnistria

phone:         +373 533 50404

admin-c:         ESV1-RIPE

tech-c:           ESV1-RIPE

mnt-ref:         VVPN-MNT

mnt-by:           VVPN-MNT

created:         2009-07-24T18:52:57Z

last-modified:   2010-01-12T19:38:04Z

source:         RIPE # Filtered

person:           Evgen Sergeevich Voronov

address:       25 October street, 118-15

address:         Tiraspol, Transdnistria

So now I have a block of addresses and I know it is in a country that is attacking me, but I have no legitimate business with. This is a prime example of a network we would want to null route.

On the Cisco ASA I would use the command:

route outside 193.104.41.0 255.255.255.0 127.0.0.1

After adding this on my firewall I no longer see any scans or traffic authentication failures on the server.

Jason Howe, PEI

Leave a Reply