Null routing traffic coming from 2k/XP

[MichealC4]

Here's the command I'm trying to do:

route add 127.0.0.1 MASK 255.255.255.0 127.0.0.1 METRIC 1 IF 2

I'm getting the error:

The route addition failed: The specified mask parameter is invalid. (Destination & Mask) != Destination.

It's a long story, but I'm trying to keep any and all traffic from leaving the machine.

Never tried what you are doing, but I would try making the subnet mask, 255.255.255.255 so there is only the one available ip. Good luck.

I tried that too, and it didn't work. Thanks for looking though.

Have you tried something simple like loaind zone alarm lite? It's free and has worked for me for years. Good luck.
Well, let me explain what I am trying to do, maybe that will help.

After battling the various variants of Bagle, getting hit with slammer (don't ask me to splain that one ), I decided to dynamically quarantine a machine. Well, I would like to be able to do it at the switch level, but for various reasons, I can't. So, I got the crazy idea to toy with the IP stack. I'll setup a simple service that listens on a certain port, I can log in to it (or the backend can which will check the IPS, IDS, syslog, etc.), and run the command. That will (or supposed to) null route all traffic coming from the server/workstation so that the virus won't be able to spread itself. We will then get an alert (and/or the user calls us) and we will then work to correct it. I'm sorry, but I can't spend all day watching the overwhelming amount of logs. I barely get by as it is. So, that's my idea.

----------------------------
"Security is like an onion" - Unknown

 

[Parcival21]

Well I'm not quite sure if I understand. You want a machine to send no traffic to your Ethernet?Unplug your cable would be simple but is probably not what you are looking for.
Cisco has a feature called access list. With this you could block traffic goin to a specific routed port. Problem is your switch is no router. You can assign access lists to a vlan, too.
In your scenario you would put an access list that denies incoming traffic on the VLAN to that the switch is assigned.
Caution you have to use ip access-group [number] in instead of ip access-group out.
If you didn't spend a fortune to buy a cisco switch you need to inform yourself if your switch has a similar feature.
bve, busche

 

[MichealC4]

Parcival21: With all due respect, did you read my post?

I stated:
- I would like to do it at the switch level, but I am not able to for various reasons. (Yes, I have Cisco switches.)
- Unplugging the ethernet cable on the correct machine requires me watching the logs, which I stated that I am trying to cut down on the amount of time I spend watching the logs.
- I am trying to dynamically quarantine a machine, be it server or client.

----------------------------
"Security is like an onion" - Unknown

 

[MichealC4]

10 days and no takers?

----------------------------
"Security is like an onion" - Unknown

 

[pgerth]

Techie Michael, your routing statement says send all traffic that is supposed to go to local loopback to the local loopback. If you want to route all traffic to yourself try route add 0.0.0.0 mask 255.255.255.255 127.0.0.1

This should set the default route to itself. You don't need the If or metric

---p

 

[MichealC4]

Thanks. However, I got this error when I tried your suggestion:
E:\Micheal>route add 0.0.0.0 mask 255.255.255.255 127.0.0.1
The route addition failed: The parameter is incorrect.

----------------------------
"Security is like an onion" - Unknown

 

[craigsboyd]

I just did a route print, and looking at the results it appears that what you would want is something along the lines of...

route add 0.0.0.0 mask 0.0.0.0 127.0.0.1

http://www.sweetpotatosoftware.com

 

[MichealC4]

I get the same error as before.

----------------------------
"Security is like an onion" - Unknown

 

[craigsboyd]

Well can you do it with the interface's IP Address and forego the loopback?

route add 0.0.0.0 mask 0.0.0.0 192.168.0.101

http://www.sweetpotatosoftware.com

 

[MichealC4]

That works, but then I run in to problems when I do it on DHCP. Thanks though.

----------------------------
"Security is like an onion" - Unknown

 

[DylanThompson]

Hey Michael,

I see that this post has gone unanswered for some time.

I would be keen to know if you ever found a solution to this problem.

Did you think about adding a route to an address that you have purposefully reserved in DHCP, so that nothing would ever actual be at that address? Eg. Designate 192.168.1.252 as an unusable address and then:
route add 0.0.0.0 mask 0.0.0.0 192.168.1.252

Also, performing this type of routing, even if you had managed to point to the loopback, would not stop an infection from spreading across the local network, as the default route is only used for address outside the local subnet.

Hopefully you cam across a solution already, if so I would love to see what you came up with.

DT

 

[MichealC4]

Hi DT,
Thanks for the reply. Unfortunately I have not come accross a solution yet. There are a couple of vendors that offer such a thing, if you want to go that route (which I don't for a couple of reasons). Also, if you are able, a jailed vlan would be best. But barring those two ideas, I may see what I can do about setting aside a DHCP address as you mentioned above. I've had to unfortunately put the project off for a while due to more pressing things, but hopefully I can pick it up again. Willing to try and work together to come up with a solution?

----------------------------
"Will work for bandwidth" - Thinkgeek T-shirt