Is there an IP address that would result in any packet sent to be ignored (blackholed)?
I know I can always set up a router with an IP address and then just have it ignore all packets sent to it, but does such a thing exist to save me the trouble?
asked Jan 7, 2014 at 17:45
-
2There are some devices (like routers and switches from that San Francisco co.) that use a Null interface that could be used as a black hole to malicious traffic. One should point a route to that Null interface so all traffic to that route be discarded.– Adriano PCommented Jan 8, 2014 at 16:22
-
15you may be interested in devnull-as-a-service.com– wcharginCommented Jan 8, 2014 at 23:28
-
2I am curious, why is the question tagged "spam-prevention"?– Mike PenningtonCommented Jan 9, 2014 at 2:44
-
@MikePennington The idea is to route spam SYN packets to the black hole. If you just refuse them, they move on to the next target. If you blackhole them, their socket blocks until it times out. This can slow down a spam server by 1000x or more. Imagine if we had 1000x less spam.– Tyler DurdenCommented Jun 16, 2020 at 1:26
Add a comment
|
7 Answers
There's specifically a blackhole prefix in IPV6, as described in RFC 6666, it's 100::/64. IP4 does not have an explicit black hole like that, but a non-existent host on one of the reserved blocks would have that effect. (e.g., 240.0.0.0/4 is "reserved for future use" and will not be routed by anything.)
-
53Sending data to something reserved for future use is only a good idea until that future use is realized.– corsiKaCommented Jan 8, 2014 at 19:12
-
7Very good point, though I highly doubt that IP4 will be expanded much again.– BandramiCommented Jan 9, 2014 at 4:28
-
8But is the router guaranteed to drop the packets? Because if it returns ICMP "destination unreachable", it would be not what the OP asked for.– WGHCommented Mar 22, 2014 at 14:28
-
2I can confirm that 240.0.0.0 works. When I try to ping that address the computer hangs, which is what we want. Commented Jun 16, 2020 at 1:23
There is such a thing as network Black hole.
If there are no devices in the network with IP address 192.168.0.10, then this IP address is kind of black hole and it will "discard" all the traffic to it, simply because it does not exist.
Protocols which keep track of connection state (TCP) can detect a missing destination host. It will not happen with UDP and packets will just die while the sending host will not be informed about that.
You can setup black hole with firewall by setting it up to silently drop packets (not reject) from particular (or many) addresses.
As far as I know there is no such network standard address which will do black hole for you in TCP/IP version 4 (Thanks to Bandrami).
So you have two options:
- An IP address which was not assigned to any host;
- Host with firewall which silently drops packets or variations of it, for example using
netcat: (as suggested by ultrasawblade).
nc -vv -l 25 > /dev/null will listen for inbound connections on TCP port 25 and pipe the results to /dev/null. More examples here.
The entire subnet also can be a black hole (Null route).
-
4If you want something that will receive TCP traffic, but do nothing with it, something quick can be setup with
nc(ornetcat). As @Nikolay says though, there's not a "blackhole" IP that does this automatically. Commented Jan 7, 2014 at 18:00 -
2
-
-
2
While it isn't a black-hole, you might also want to consider the IPs set aside for test/example purposes (by RFC 5737), especially if your goal is a "safely non-working default" value.
192.0.2.0/24(TEST-NET-1),198.51.100.0/24(TEST-NET-2)203.0.113.0/24(TEST-NET-3)
Network operators SHOULD add these address blocks to the list of non-routeable address spaces, and if packet filters are deployed, then this address block SHOULD be added to packet filters.
There's no guarantee that packets to those addresses will be blocked (that depends on your ISP, etc.) but certainly nobody should be already using them.
-
1
-
2192.0.2.0 seems to work on my first try, not returning any packets so far. I will do some more testing. Commented Sep 16, 2015 at 17:39
There's no "standard blackhole address" as such, nor is there really any requirement for it. You don't say what you're actually trying to achieve, so I can't help you do so, but here are some wrong solutions for your problem that would answer your question as you asked it:
- You can use an RFC1918 address that's not in use on your network and rely on your ISP to drop it for you. For example, if you're only using some parts of 192.168, 10.255.255.1 would be null-routed by your ISP (which would get it thanks to your default gateway).
- You can use an IP address that's reserved for future use (and will probably never be used); that's the old "Class E" range. It'll do the same as above, but will work even if you use all of the private address ranges already (by having much broader netmasks than necessary, I doubt that you'll have millions of attached devices). For example, 254.0.0.1 will never (legally) refer to a real device.
- On the machine where you need this, you can add a drop-only target; using an unused address such as the above, for example,
iptables -I OUTPUT -d 254.0.0.0/8 -j DROPwill ensure anything sent to that "network" will be silently dropped instead of bothering any gateways, or even causing traffic on the actual network interface.
Again, you probably don't actually want any of this, even if you think it's convenient - it's not, it's confusing and non-obvious and not a good solution to whatever your problem really is.
-
254.0.0.1 does not black hole packets, I get a "transmit failure" error. Commented Jan 7, 2014 at 18:09
-
9
-
These techniques are quite useful for quickly testing how an application/website behaves when encountering unexpected network glitches...– zeroimplCommented Mar 11, 2020 at 2:50
Side stepping your question, what about using the "discard protocol"?
Test Ranges
I would probably suggest one of the "TEST-NET" address ranges, "for use in documentation and examples. It should not be used publicly".
192.0.2.0/24 198.51.100.0/24 203.0.113.0/24
"Bogon" (Bogus/Fake) Ranges
I'm not sure where to say here, this appears to be more of a practice that an Internet gateway would provide, rather than a specific way to implement a packet that is routed somewhere it shoudln't be
Local Ranges
There is also loopback address range, 127.0.0.0/8, eg 127.0.0.255. Though its still possible for things to exist there, specifically any services on the local machine, at least you won't interfere with any machines on the network (unless your have network services that are backed by other network services I guess).
127.0.0.0/8
Illegal Destination Ranges
Perhaps the illegal address 0.0.0.0 can be used as well, though 0.0.0.0/8 is reserved for "Used for broadcast messages to the current ("this")" so there is risk of broatcasting on that.
0.0.0.0/8
The Wikipedia Page for Null Route states:
Null routes are typically configured with a special route flag, but can also be implemented by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.
-
I overall opted to use
localhoston the highest port65535though, Because I wanted to ensure no traffic would leave the host. Commented Nov 18, 2015 at 21:55 -
If you specify the port, then you have to specify each protocol as well: TCP, UDP, etc. and in doing so, some traffic may escape your rules (e.g. ICMP).– DrakesCommented Nov 22, 2017 at 20:44
One thing to consider (which may or may not be a problem for your particular scenario) is that if you redirect traffic to an IP address that does not exist, the router and/or host may attempt to continuously ARP for that address, which could be a bad thing.
If you configure a static ARP<->IP binding for this phantom address, then the system will always have a resolved ARP entry, and it will just put the packet on the wire with that ARP address (which, assumedly, is bogus) and the traffic won't actually land anywhere.
Again, this may very well NOT be what you actually want, but it's worth considering.
