Maximize your protection, eliminate business risks.
Optimize and modernize with cloud transformation.
Empower your people to work securely from anywhere.
Let us handle IT so you can focus on growing your business.
Get multichannel 24/7/365 expert end-user support.
Protect, detect, and respond—Dataprise keeps your business secure.
Maximize uptime with with industry-leading DRaaS.
Swiftly mitigate cyber threats and restore security.
Improve efficiency, productivity and outcomes with cloud.
Ensure all mobile devices, everywhere, are secure.
Gain a competitive edge with strategic IT solutions.
This battle-tested checklist enables your team to swiftly initiate a ransomware response.
IT for businesses of all sizes, in any industry.
Empower institution growth with custom IT solutions.
Ensure your firm is always in compliance.
Improve patient care and staff morale.
Deal with pressing legal matters, not IT.
Keep up with the evolving digital landscape.
Focus on your mission by outsourcing IT.
Accelerate PE client deals and secure data.
Empower Your Municipality with Secure, Reliable IT Services
Execute initiatives and develop IT strategies.
Get the latest industry insights and trends.
Join us at events in person and online.
Hear from clients and learn more about strategic IT.
See how Dataprise can make IT your greatest asset.
Get informative technical resources from IT experts.
Stay on stop of emerging cybersecurity threats.
Discover the key areas of DR your organization needs to address to ensure downtime is minimized.
Gain a strategic asset by bringing harmony to IT.
Ensure 24/7 support and security with dedicated teams.
Drive business forward by partnering with Dataprise.
Meet our one-of-a-kind leadership team.
Discover the recognition Dataprise has earned.
Help us help businesses with strategic IT.
Grow through acquisition and partnership with Dataprise.
Embracing different perspectives and backgrounds.
Find a Dataprise location near you.
Dataprise is committed to empowering more women to consider a career in technology.
Explore our trusted partnerships with leading tech innovators.
Posts
By: Dataprise
Table of content
Null routes are a great way to limit traffic from troubling networks without increasing your firewall Access Control Lists (ACL), which in turn will increase both the total CPU usage of the firewall and the delay of all traffic through the firewall. While just adding a line or two to the INBOUND/OUTBOUND ACL will not have much impact. When people are looking at blocking hundreds of potential problem networks, the null route is a much better solution.
First off this is an approximation to a Null route, due to the fact that the ASA has to have a defined interface for all its routes.
So we will be using the outside interface, but just using localhost IP (127.0.0.1) as the gateway address.
For this example I will be using a real hacker attacking my inside Linux server. I see I have 19 failed ssh attacks from the following IP: 193.104.41.53
Aug 16 21:12:35 li281-141 sshd[5775]: Invalid user admin from 193.104.41.53
Aug 16 21:41:24 li281-141 sshd[6138]: Failed password for invalid user pi from 193.104.41.53 port 22059 ssh2
Aug 16 22:24:18 li281-141 sshd[6641]: Failed password for root from 193.104.41.53 port 18919 ssh2
So now I found I bad guy, and I also know they are just pecking around, because they keep changing the username they are trying to attack.
So I could add a special firewall rule, but I get ten of these a week, so I have thousands. So the next step is to see where the hacker is coming from. For this I use one of the public whois servers.
https://www.ip-address.org/tracer/ip-whois.php
By doing a lookup I find out the hacker is from Moldova, I also find out there is a whole /24 network that they might attack me from.
Whois Information:
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘193.104.41.0 – 193.104.41.255’
% No abuse contact registered for 193.104.41.0 – 193.104.41.255
inetnum: 193.104.41.0 – 193.104.41.255
netname: VVPN-NET
descr: PE Voronov Evgen Sergiyovich
country: MD
org: ORG-PESV2-RIPE
admin-c: ESV1-RIPE
tech-c: ESV1-RIPE
status: ASSIGNED PI
mnt-by: VVPN-MNT
mnt-by: RIPE-NCC-END-MNT
mnt-routes: VVPN-MNT
mnt-domains: VVPN-MNT
created: 2009-10-12T11:34:50Z
last-modified: 2015-06-01T15:18:26Z
source: RIPE # Filtered
organisation: ORG-PESV2-RIPE
org-name: PE Voronov Evgen Sergiyovich
org-type: OTHER
descr: PE Evgen Sergeevich Voronov
address: 25 October street, 118-15
address: Tiraspol, Transdnistria
phone: +373 533 50404
mnt-ref: VVPN-MNT
created: 2009-07-24T18:52:57Z
last-modified: 2010-01-12T19:38:04Z
person: Evgen Sergeevich Voronov
So now I have a block of addresses and I know it is in a country that is attacking me, but I have no legitimate business with. This is a prime example of a network we would want to null route.
On the Cisco ASA I would use the command:
route outside 193.104.41.0 255.255.255.0 127.0.0.1
After adding this on my firewall I no longer see any scans or traffic authentication failures on the server.
Jason Howe, PEI
INSIGHTS
Subscribe to our blog to learn about the latest IT trends and technology best practices.