Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Tip of the Day: Remove Default Route
This tip comes from Mark Goudie:

Not having a default route in the router network is a great way to minimise the impact of malware on the corporate environment. This practice enforces that gateways are used for all external communications.


  1. Enforces the use of proxy gateways for external communications.
  2. Malicious packets can be dropped or sent to a centralised server for analysis.
  3. Reduces the potential impact of misconfigured software through enforcing no internet connectivity.
  4. Makes malware infection easy to spot (if analysing all dropped packets).
I'd recommend implementing this with a split DNS to increase the difficulty of malware "phoning home" as the internal network cannot resolve external addresses. The DNS server could be configured to log all unresolved addresses for further malware indication.

Note that the above tip does not ask you to remove the default route off your end systems (user workstations) - chances are that many services needed in a corporate environment (like financial news feeds) will need to have a default route on the workstation. But if, in your network core, you can get away with only advertising and routing those external networks that are actually needed, you have made a huge step to secure your network. As indicated above, the newly un-used "default route" should then be made to point to a "darknet" where you have nothing except logging and packet collection capability.


385 Posts
ISC Handler
Aug 2nd 2006

Sign Up for Free or Log In to start participating in the conversation!