Breaking unwanted TCP connections by modifying your route table
by Richard Cardona and Kyle Cassidy
Being able to block an Internet address without investing in expensive tools can be very helpful to a network/security administrator. This article by networking experts Richard Cardona and Kyle Cassidy and provided courtesy of
Every TCP/IP client machine, regardless of operating system, needs to make decisions about where to send a packet after it has been addressed. The route table is the network map that tells your computer how to deliver the packet to its network addressee. It is rarely necessary to inspect your route table because most machines have dynamically assigned IP configurations, they're single-homed machines (they have only one network card), and they sit on a network with a single gateway. This is the standard network setup. The route table is automatically generated, and the default configuration is usually the best one to use for that standard setup.
There is more to know about route tables than what we describe here. This article is intended to provide a quick-and-dirty explanation on route tables so that you can use the information to provide a costless and simple alternative for blocking unwanted traffic to specific IP addresses or subnets.
How can I modify the route table?
A number of ways exist for modifying the route table. There are a variety of GUIs, such as the Microsoft Routing and Remote Access control, for example, but our preference is to use the basic route command from a standard command prompt. It is the standard method for accomplishing routing tasks, and it tends to remain very similar across most operating systems and platforms.
Use the route print command to display the route table information.
The route add command enables you to add network destinations that are not on your default route table. This is the command that you use to help block unwanted Internet traffic.
How can I modify the route table to block traffic to an Internet site?
First, you need to find the IP address information for that site. In most TCP/IP-enabled machines, you can go to a command prompt and type ping -a http://www.blockme.com, where http://www.blockme.com is the site for which you want to learn the IP address structure. That will reveal the IP address reflected by your DNS server.
From a command prompt, use the route add command to modify your route table. The syntax should look like this:
C:>route -p add 192.168.6.0 mask 255.255.255.0 192.168.100.97
The "trick" is really in the final argument, the gateway. The gateway must be on the same subnet as the workstation.
The workstation is on the 192.168.100.0 subnet. However, the host 192.168.100.97 does not exist. Therefore, every packet addressed to 192.168.6.0 is routed to 192.168.100.97, a bogus machine.
If you're the network administrator for a small LAN with nonglobally routable IP addresses behind a firewall gateway, such as the Internet Sharing Connection Wizard in Windows 2000, make the changes on the gateway machine following the same instructions.
The most common use for route delete ought to be to delete your own modifications to the route table. The correct syntax for route delete is as follows:
C:>route delete 192.168.6.0
You would do this if you wanted to undo the changes you made in the example above.
The route change command can be used very similarly to the route add command for an existing route. Using route change is effectively the same as deleting and adding a route with different parameters.
Recommendations, caveats and other notes
- Modifying the route table the way we suggest does not block unwanted Internet traffic exactly. It redirects IP responses to null addresses disrupting TCP handshakes, thus breaking communication. Newer operating systems and older operating systems with updated patches recover seamlessly from what could be a self-imposed distributed denial-of-service attack. However, older operating systems, particularly ones that are not patched to recover from SYN floods, should not use this method of blocking Internet traffic because it may result in partially connected states. If you have any doubt that your network performance is suffering from hanging connections waiting to close, read our article on the uses of Netstat to help you determine this, patch your OS, and take advantage of this networking trick.
- We do not recommend that you delete any of the default routes unless you've researched route tables in greater detail and know exactly what you're doing. However, if you delete a necessary route, rebooting your machine will likely restore that network destination route information to its default values. It's rarely necessary to modify a default route such as the one belonging to the 0.0.0.0 network destination.
- Make sure that the IP address you choose to redirect your packets does not belong to a real machine. If it does, the network performance of that machine could potentially degrade as it attempts to handle packets that it has been asked to route.
Learn more about route tables by reading this article in its entirety at InformIT. Registration is required, but it's free.
This was first published in December 2001