Null Route DDOS attack on Windows Platform

By admin, February 22, 2012 7:30 pm

This little trick only works for entry level hacker, it won’t stand a chance with advanced hacker, not to mention those DDOS with pure bandwidth consumption (I don’t think there is a way to mitigate this at all anyway, if you do, pls drop me a line).

First I tried the following intuitive command on Windows Server 2003 and found out it doesn’t work, somehow, Windows doesn’t allow route to 127.0.0.1.

route add DDOS_IP 255.255.255.255 127.0.0.1

* Assume DDOS_IP is the DDOS source IP Address.

The solution is to create a loopback (ie, fake) NIC by go to Control Panel, then Add Hardware > Network Card > Microsoft Loopback Adapter.

From Properties, Remove everything and leaving only TCP/IP, assign it a fake IP (say 192.168.80.8), disable WINS of course.

Finally, simply route the crap to this fake destination

route add DDOS_IP MASK 255.255.255.255 192.168.80.8

If you want to permanently add this DDOS IP, use route add –p parameter.

To remove it, type “route delete DDOS_IP”.

In additional, if you want to block the whole C-Class (ie, 256 IPs, mask /24) of DDOS source, then use:

route add DDOS_IP MASK 255.255.255.0 192.168.80.8

For example: route add 202.128.110.0 MASK 255.255.255.0 192.168.80.8

Finally, how do you know which IP is DDOS your server? Well, if you find a IP with many LAST_ACK from netstat, then this indicates a very high possibility that the IP is the DDOS attacker.

Examples

To display the entire contents of the IP routing table, type:

route print

To display the routes in the IP routing table that begin with 10., type:

route print 10.*

To add a default route with the default gateway address of 192.168.12.1, type:

route add 0.0.0.0 mask 0.0.0.0 192.168.12.1

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1

To add a persistent route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0 and the next hop address of 10.27.0.1, type:

route -p add 10.41.0.0 mask 255.255.0.0 10.27.0.1

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, the next hop address of 10.27.0.1, and the cost metric of 7, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 metric 7

To add a route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, the next hop address of 10.27.0.1, and using the interface index 0×3, type:

route add 10.41.0.0 mask 255.255.0.0 10.27.0.1 if 0×3

To delete the route to the destination 10.41.0.0 with the subnet mask of 255.255.0.0, type:

route delete 10.41.0.0 mask 255.255.0.0

To delete all routes in the IP routing table that begin with 10., type:

route delete 10.*

To change the next hop address of the route with the destination of 10.41.0.0 and the subnet mask of 255.255.0.0 from 10.27.0.1 to 10.27.0.25, type:

route change 10.41.0.0 mask 255.255.0.0 10.27.0.25