ip route (attacker ip) 255.255.255.255 null0
wow was that hard? You just denied the attacker with a route statement. And to make things even better you use less processing power on your router versus using an ACL to stop the attacking IP address.
router(config)#ip route 126.96.36.199 255.255.255.255 null0
Why does this work? You’ll need to have something called “Unicast Reverse Path Forwarding” enabled on the border routers. For every new flow that passes through the routers, they are verified against the route table to ensure that the traffic is coming into a valid interface for that route (an anti- spoofing mechanism). Traffic that flows into an interface that doesn’t match a corresponding route in the route tables is dropped.
We leverage this by coupling it with /32 “null routes”. When traffic flows into the border router, and we have a route to Null0 for the address, URPF looks at the route table, sees the entry for Null0, notices that the traffic is coming in on a different interface (OneNet connection), and drops the traffic.
Traffic initiated by one of our users toward a destination that has been “null routed” will just get dropped on the border router, as the router sends it to the Null0 interface (bit bucket) based on the information that we put into the routing tables for that destination address.
For more information on configuring URPF check out cisco’s website.
Your idea is pretty cool, but i have a question?
If i want to block that user for 2 days how i can do that ?
time based ACL can be used for this