Null routes are a great way to limit traffic from troubling networks without increasing your firewall Access Control Lists (ACL), which in turn will increase both the total CPU usage of the firewall and the delay of all traffic through the firewall. While just adding a line or two to the INBOUND/OUTBOUND ACL will not have much impact. When people are looking at blocking hundreds of potential problem networks, the null route is a much better solution.
First off this is an approximation to a Null route, due to the fact that the ASA has to have a defined interface for all its routes.
So we will be using the outside interface, but just using localhost IP (127.0.0.1) as the gateway address.
For this example I will be using a real hacker attacking my inside Linux server. I see I have 19 failed ssh attacks from the following IP: 193.104.41.53
Aug 16 21:12:35 li281-141 sshd[5775]: Invalid user admin from 193.104.41.53
Aug 16 21:41:24 li281-141 sshd[6138]: Failed password for invalid user pi from 193.104.41.53 port 22059 ssh2
Aug 16 22:24:18 li281-141 sshd[6641]: Failed password for root from 193.104.41.53 port 18919 ssh2
So now I found I bad guy, and I also know they are just pecking around, because they keep changing the username they are trying to attack.
So I could add a special firewall rule, but I get ten of these a week, so I have thousands. So the next step is to see where the hacker is coming from. For this I use one of the public whois servers.
https://www.ip-address.org/tracer/ip-whois.php
By doing a lookup I find out the hacker is from Moldova, I also find out there is a whole /24 network that they might attack me from.
Whois Information:
Results for 193.104.41.53 :
| % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See https://www.ripe.net/db/support/db-terms-conditions.pdf % Note: this output has been filtered. % To receive output for a database update, use the “-B” flag. % Information related to ‘193.104.41.0 – 193.104.41.255’ % No abuse contact registered for 193.104.41.0 – 193.104.41.255 inetnum: 193.104.41.0 – 193.104.41.255 netname: VVPN-NET descr: PE Voronov Evgen Sergiyovich country: MD org: ORG-PESV2-RIPE admin-c: ESV1-RIPE tech-c: ESV1-RIPE status: ASSIGNED PI mnt-by: VVPN-MNT mnt-by: RIPE-NCC-END-MNT mnt-routes: VVPN-MNT mnt-domains: VVPN-MNT created: 2009-10-12T11:34:50Z last-modified: 2015-06-01T15:18:26Z source: RIPE # Filtered organisation: ORG-PESV2-RIPE org-name: PE Voronov Evgen Sergiyovich org-type: OTHER descr: PE Evgen Sergeevich Voronov address: 25 October street, 118-15 address: Tiraspol, Transdnistria phone: +373 533 50404 admin-c: ESV1-RIPE tech-c: ESV1-RIPE mnt-ref: VVPN-MNT mnt-by: VVPN-MNT created: 2009-07-24T18:52:57Z last-modified: 2010-01-12T19:38:04Z source: RIPE # Filtered person: Evgen Sergeevich Voronov address: 25 October street, 118-15 address: Tiraspol, Transdnistria |
So now I have a block of addresses and I know it is in a country that is attacking me, but I have no legitimate business with. This is a prime example of a network we would want to null route.
On the Cisco ASA I would use the command:
route outside 193.104.41.0 255.255.255.0 127.0.0.1
After adding this on my firewall I no longer see any scans or traffic authentication failures on the server.
Jason Howe, PEI
