Static routing to Null0 interface on Internet edge router

Answered Question
Apr 3rd, 2009

Dear Friends,

While trying to understand the configs of an Internet Edge router, i came across 20-25 static routes of public networks pointing to Null interfaces. Please find below these static routes.

ip route 1.0.0.0 255.0.0.0 Null0

ip route 2.0.0.0 255.0.0.0 Null0

ip route 5.0.0.0 255.0.0.0 Null0

ip route 10.0.0.0 255.0.0.0 Null0

ip route 14.0.0.0 255.0.0.0 Null0

ip route 23.0.0.0 255.0.0.0 Null0

ip route 27.0.0.0 255.0.0.0 Null0

ip route 31.0.0.0 255.0.0.0 Null0

ip route 36.0.0.0 255.0.0.0 Null0

ip route 37.0.0.0 255.0.0.0 Null0

ip route 39.0.0.0 255.0.0.0 Null0

ip route 42.0.0.0 255.0.0.0 Null0

ip route 46.0.0.0 255.0.0.0 Null0

ip route 49.0.0.0 255.0.0.0 Null0

ip route 50.0.0.0 255.0.0.0 Null0

ip route <Local Public Segment> 255.255.248.0 Null0

ip route 100.0.0.0 255.0.0.0 Null0

ip route 101.0.0.0 255.0.0.0 Null0

ip route 102.0.0.0 255.0.0.0 Null0

ip route 103.0.0.0 255.0.0.0 Null0

ip route 104.0.0.0 255.0.0.0 Null0

ip route 105.0.0.0 255.0.0.0 Null0

ip route 106.0.0.0 255.0.0.0 Null0

ip route 107.0.0.0 255.0.0.0 Null0

ip route 127.0.0.0 255.0.0.0 Null0

ip route 169.254.0.0 255.255.0.0 Null0

ip route 172.16.0.0 255.240.0.0 Null0

ip route 175.0.0.0 255.0.0.0 Null0

ip route 176.0.0.0 255.0.0.0 Null0

ip route 177.0.0.0 255.0.0.0 Null0

ip route 179.0.0.0 255.0.0.0 Null0

ip route 180.0.0.0 255.0.0.0 Null0

ip route 181.0.0.0 255.0.0.0 Null0

ip route 182.0.0.0 255.0.0.0 Null0

ip route 183.0.0.0 255.0.0.0 Null0

ip route 185.0.0.0 255.0.0.0 Null0

ip route 192.0.2.0 255.255.255.0 Null0

ip route 192.168.0.0 255.255.0.0 Null0

ip route 198.18.0.0 255.254.0.0 Null0

ip route 223.0.0.0 255.0.0.0 Null0

The Internet edge router is also BGP peering with the ISP router and is allowing only the default route to come into it from the ISP.

Any idea on the reason behind why these statics were configured?

Thanks a lot

Gautam

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 8 months ago

Hello Gautam,

these static routes to null0 are probably used for security reasons on the border router.

if from inside your network a worm tries to contact one of these addresses the packet is silently discarded using the null0 waste bin.

It is a way to ensure that from inside your network are not sent to the internet packets with any of these unused address blocks (I've checked a few on a looking glass they are unused and with a community no-export associated to a private AS number in a more complex ISP level scenario).

It is more efficient that using an outbound acl on the wan interface for example.

Edit:

I suggest to keep the static routes at their place they do a security job avoiding to have packets with a source address within your organization with this unused address block destination to go to the internet.

It is better then being called from your upstream ISPs.

Hope to help

Giuseppe

Correct Answer by lamav about 7 years 8 months ago

Yes.

BGP will not advertise a prefix if it does not already exist in the IGP RIB. This is part of its synchronization rule. The idea is that when it receives traffic for the network it is going to advertise, its internal routers will know how to route it.

[EDIT] I should have mentioned that these addresses are known as bogons and should never be advertised to the Internet.

These static routes, Im sure, are part of a bogon filter. [EDIT]

Can you post the entire router configuration?

HTH

Victor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
lamav Fri, 04/03/2009 - 15:44

Yes.

BGP will not advertise a prefix if it does not already exist in the IGP RIB. This is part of its synchronization rule. The idea is that when it receives traffic for the network it is going to advertise, its internal routers will know how to route it.

[EDIT] I should have mentioned that these addresses are known as bogons and should never be advertised to the Internet.

These static routes, Im sure, are part of a bogon filter. [EDIT]

Can you post the entire router configuration?

HTH

Victor

Mohamed Sobair Sat, 04/04/2009 - 03:00

Hi,

I am wondering why do you need such static routes? does all those Network belong to a single Autonomous system? and you are actually black holing all traffic destined for those Networks.

HTH

Mohamed

Rick Morris Mon, 04/06/2009 - 11:00

remove these routes.

As stated these are bogons and should be only added to an acl to deny any these routes being advertised to you.

Here is what I have on my router for your reference:

router bgp 65001

neighbor 201.AAA.BBB.130 route-map IN in

!

ip prefix-list IN seq 5 deny 0.0.0.0/8 le 32

ip prefix-list IN seq 10 deny 1.0.0.0/8 le 32

ip prefix-list IN seq 15 deny 2.0.0.0/8 le 32

ip prefix-list IN seq 20 deny 5.0.0.0/8 le 32

ip prefix-list IN seq 30 deny 10.0.0.0/8 le 32

ip prefix-list IN seq 32 deny 14.0.0.0/8 le 32

ip prefix-list IN seq 35 deny 23.0.0.0/8 le 32

ip prefix-list IN seq 40 deny 27.0.0.0/8 le 32

ip prefix-list IN seq 45 deny 31.0.0.0/8 le 32

ip prefix-list IN seq 50 deny 36.0.0.0/8 le 32

ip prefix-list IN seq 55 deny 37.0.0.0/8 le 32

ip prefix-list IN seq 60 deny 39.0.0.0/8 le 32

ip prefix-list IN seq 70 deny 42.0.0.0/8 le 32

ip prefix-list IN seq 75 deny 46.0.0.0/8 le 32

ip prefix-list IN seq 80 deny 49.0.0.0/8 le 32

ip prefix-list IN seq 85 deny 50.0.0.0/8 le 32

ip prefix-list IN seq 255 deny 100.0.0.0/8 le 32

ip prefix-list IN seq 260 deny 101.0.0.0/8 le 32

ip prefix-list IN seq 265 deny 102.0.0.0/8 le 32

ip prefix-list IN seq 270 deny 103.0.0.0/8 le 32

ip prefix-list IN seq 275 deny 104.0.0.0/8 le 32

ip prefix-list IN seq 280 deny 105.0.0.0/8 le 32

ip prefix-list IN seq 285 deny 106.0.0.0/8 le 32

ip prefix-list IN seq 290 deny 107.0.0.0/8 le 32

ip prefix-list IN seq 390 deny 127.0.0.0/8 le 32

ip prefix-list IN seq 395 deny 169.254.0.0/16 le 32

ip prefix-list IN seq 400 deny 172.16.0.0/12 le 32

ip prefix-list IN seq 415 deny 175.0.0.0/8 le 32

ip prefix-list IN seq 420 deny 176.0.0.0/8 le 32

ip prefix-list IN seq 425 deny 177.0.0.0/8 le 32

ip prefix-list IN seq 435 deny 179.0.0.0/8 le 32

ip prefix-list IN seq 440 deny 180.0.0.0/8 le 32

ip prefix-list IN seq 445 deny 181.0.0.0/8 le 32

ip prefix-list IN seq 450 deny 182.0.0.0/8 le 32

ip prefix-list IN seq 455 deny 183.0.0.0/8 le 32

ip prefix-list IN seq 465 deny 185.0.0.0/8 le 32

ip prefix-list IN seq 490 deny 192.0.2.0/24 le 32

ip prefix-list IN seq 500 deny 192.168.0.0/16 le 32

ip prefix-list IN seq 512 deny 198.18.0.0/15 le 32

ip prefix-list IN seq 515 deny 223.0.0.0/8 le 32

ip prefix-list IN seq 520 deny 224.0.0.0/3 le 32

!

route-map IN permit 20

match ip address prefix-list IN

!

Correct Answer
Giuseppe Larosa Mon, 04/06/2009 - 11:45

Hello Gautam,

these static routes to null0 are probably used for security reasons on the border router.

if from inside your network a worm tries to contact one of these addresses the packet is silently discarded using the null0 waste bin.

It is a way to ensure that from inside your network are not sent to the internet packets with any of these unused address blocks (I've checked a few on a looking glass they are unused and with a community no-export associated to a private AS number in a more complex ISP level scenario).

It is more efficient that using an outbound acl on the wan interface for example.

Edit:

I suggest to keep the static routes at their place they do a security job avoiding to have packets with a source address within your organization with this unused address block destination to go to the internet.

It is better then being called from your upstream ISPs.

Hope to help

Giuseppe

gautamzone Tue, 04/07/2009 - 07:38

Dear friends,

Thanks a lot for your kind responses.

Sorry for not being able to answer to any of your posts earlier.

The bgp config is as follows:

router bgp 47901

no synchronization

bgp router-id 94.125.x.x

bgp log-neighbor-changes

network x.x.x.x mask 255.255.255.248

network x.x.x.x mask 255.255.255.248

neighbor 78.100.38.41 prefix-list allow-default in

neighbor 78.100.38.41 route-map localpref-qtellink2 in

no auto-summary

ip prefix-list allow-default seq 5 permit 0.0.0.0/0

ip prefix-list allow-default seq 10 deny 0.0.0.0/0 le 32

I believe that we are already doing enough filtering to allow only default routes in from the ISP.

However as Giuseppe said, it will be good to prevent internal attacks from happening.

Thanks a lot

Gautam

Actions

This Discussion