96
19
Is there an IP address that would result in any packet sent to be ignored (blackholed)?
I know I can always set up a router with an IP address and then just have it ignore all packets sent to it, but does such a thing exist to save me the trouble?
Tyler Durden
Posted 2014-01-07T17:45:20.533
Reputation: 4 710
86
There's specifically a blackhole prefix in IPV6, as described in RFC 6666, it's 100::/64. IP4 does not have an explicit black hole like that, but a non-existent host on one of the reserved blocks would have that effect. (e.g., 240.0.0.0/4 is "reserved for future use" and will not be routed by anything.)
Bandrami
Posted 2014-01-07T17:45:20.533
Reputation: 1 543
35Sending data to something reserved for future use is only a good idea until that future use is realized. – corsiKa – 2014-01-08T19:12:24.010
5Very good point, though I highly doubt that IP4 will be expanded much again. – Bandrami – 2014-01-09T04:28:20.460
8But is the router guaranteed to drop the packets? Because if it returns ICMP "destination unreachable", it would be not what the OP asked for. – WGH – 2014-03-22T14:28:53.957
41
There is such a thing as network Black hole.
If there are no devices in the network with IP address 192.168.0.10, then this IP address is kind of black hole and it will "discard" all the traffic to it, simply because it does not exist.
Protocols which keep track of connection state (TCP) can detect a missing destination host. It will not happen with UDP and packets will just die while the sending host will not be informed about that.
You can setup black hole with firewall by setting it up to silently drop packets (not reject) from particular (or many) addresses.
As far as I know there is no such network standard address which will do black hole for you in TCP/IP version 4 (Thanks to Bandrami).
So you have two options:
netcat: (as suggested by ultrasawblade).nc -vv -l 25 > /dev/null will listen for inbound connections on TCP port 25 and pipe the results to /dev/null. More examples here.
The entire subnet also can be a black hole (Null route).
VL-80
Posted 2014-01-07T17:45:20.533
Reputation: 3 867
4If you want something that will receive TCP traffic, but do nothing with it, something quick can be setup with nc (or netcat). As @Nikolay says though, there's not a "blackhole" IP that does this automatically. – LawrenceC – 2014-01-07T18:00:14.693
2At least not in IP4 – Bandrami – 2014-01-07T18:07:47.420
@Bandrami: What about IPv6, then? – user2357112 supports Monica – 2014-01-08T01:45:24.073
21
While it isn't a black-hole, you might also want to consider the IPs set aside for test/example purposes (by RFC 5737), especially if your goal is a "safely non-working default" value.
192.0.2.0/24 (TEST-NET-1),198.51.100.0/24 (TEST-NET-2)203.0.113.0/24 (TEST-NET-3) Network operators SHOULD add these address blocks to the list of non-routeable address spaces, and if packet filters are deployed, then this address block SHOULD be added to packet filters.
There's no guarantee that packets to those addresses will be blocked (that depends on your ISP, etc.) but certainly nobody should be already using them.
Darien
Posted 2014-01-07T17:45:20.533
Reputation: 311
1192.0.2.0 seems to work on my first try, not returning any packets so far. I will do some more testing. – Tyler Durden – 2015-09-16T17:39:30.240
1They can also be REJECTed instead of DROPped, so… – mirabilos – 2014-01-08T19:57:29.387
17
There's no "standard blackhole address" as such, nor is there really any requirement for it. You don't say what you're actually trying to achieve, so I can't help you do so, but here are some wrong solutions for your problem that would answer your question as you asked it:
iptables -I OUTPUT -d 254.0.0.0/8 -j DROP will ensure anything sent to that "network" will be silently dropped instead of bothering any gateways, or even causing traffic on the actual network interface.Again, you probably don't actually want any of this, even if you think it's convenient - it's not, it's confusing and non-obvious and not a good solution to whatever your problem really is.
Gabe
Posted 2014-01-07T17:45:20.533
Reputation: 1 837
254.0.0.1 does not black hole packets, I get a "transmit failure" error. – Tyler Durden – 2014-01-07T18:09:44.937
8+1 for "you probably don't actually want any of this..." – RBerteig – 2014-01-07T21:57:06.983
3
I would probably suggest one of the "TEST-NET" address ranges, "for use in documentation and examples. It should not be used publicly".
192.0.2.0/24 198.51.100.0/24 203.0.113.0/24
I'm not sure where to say here, this appears to be more of a practice that an Internet gateway would provide, rather than a specific way to implement a packet that is routed somewhere it shoudln't be
There is also loopback address range, 127.0.0.0/8, eg 127.0.0.255. Though its still possible for things to exist there, specifically any services on the local machine, at least you won't interfere with any machines on the network (unless your have network services that are backed by other network services I guess).
127.0.0.0/8
Perhaps the illegal address 0.0.0.0 can be used as well, though 0.0.0.0/8 is reserved for "Used for broadcast messages to the current ("this")" so there is risk of broatcasting on that.
0.0.0.0/8
The Wikipedia Page for Null Route states:
Null routes are typically configured with a special route flag, but can also be implemented by forwarding packets to an illegal IP address such as 0.0.0.0, or the loopback address.
ThorSummoner
Posted 2014-01-07T17:45:20.533
Reputation: 861
I overall opted to use localhost on the highest port 65535 though, Because I wanted to ensure no traffic would leave the host.
If you specify the port, then you have to specify each protocol as well: TCP, UDP, etc. and in doing so, some traffic may escape your rules (e.g. ICMP). – Drakes – 2017-11-22T20:44:04.243
3
Side stepping your question, what about using the "discard protocol"?
wilx
Posted 2014-01-07T17:45:20.533
Reputation: 146
1
One thing to consider (which may or may not be a problem for your particular scenario) is that if you redirect traffic to an IP address that does not exist, the router and/or host may attempt to continuously ARP for that address, which could be a bad thing.
If you configure a static ARP<->IP binding for this phantom address, then the system will always have a resolved ARP entry, and it will just put the packet on the wire with that ARP address (which, assumedly, is bogus) and the traffic won't actually land anywhere.
Again, this may very well NOT be what you actually want, but it's worth considering.
ljwobker
Posted 2014-01-07T17:45:20.533
Reputation: 256
2There are some devices (like routers and switches from that San Francisco co.) that use a Null interface that could be used as a black hole to malicious traffic. One should point a route to that Null interface so all traffic to that route be discarded. – Adriano P – 2014-01-08T16:22:29.450
12
you may be interested in http://devnull-as-a-service.com
– wchargin – 2014-01-08T23:28:31.4632I am curious, why is the question tagged "spam-prevention"? – Mike Pennington – 2014-01-09T02:44:46.500
@WChargin, I hope that was a joke -
– VL-80 – 2014-01-10T14:29:13.930devnull-as-a-service.comdoes not seem to have anything to do with networking and even it does look like a crap. What is this:When we say "government" we mean NSA, CIA, FBI, TSA, Communist Party of China (CPC), Nestle, The Coca-Cola Company, the KGB, some of your coworkers and our friends (especially if there is something funny).?5
@Nikolay yes, it was a joke, as is the website. See their Github README: "It's mostly about the enterprise, cloud, *-as-a-Service and criticism on it." (emphasis mine)
– wchargin – 2014-01-10T15:23:12.960@WChargin, I see this point! Nice joke (: ! – VL-80 – 2014-01-10T15:47:46.903