Block Traffic to Unassigned IPs

TL;DR

Unassigned IP addresses can be a security risk if network traffic accidentally (or maliciously) gets routed to them. This guide shows you how to block that traffic using firewall rules on your router or server.

Steps

1. Identify Unassigned IPs: First, you need to know which IP addresses are unassigned in your network. This depends on your setup:
   • DHCP Server: If you use a DHCP server (like on most home routers), check its configuration page. It will list the assigned and available IP ranges.
   • Static IPs: Review any static IP assignments to confirm which addresses are not in use.
   • Cloud Providers: If using cloud services, consult their documentation for identifying unused public IPs.
2. Choose Your Firewall: You’ll need access to a firewall to create the blocking rules.
   • Home Router: Most home routers have built-in firewalls accessible through a web interface (usually at 192.168.1.1 or similar – check your router’s manual).
   • Server Firewall: If you’re protecting a server, use its firewall software (e.g., iptables on Linux, Windows Firewall).
3. Create Blocking Rules: The specific steps vary depending on your firewall.
   • iptables (Linux): Use the following commands to block incoming traffic to a single unassigned IP address:

     sudo iptables -A INPUT -s 192.168.0.100 -j DROP

     Replace ‘192.168.0.100’ with the actual unassigned IP.
     To block outgoing traffic:

     sudo iptables -A OUTPUT -d 192.168.0.100 -j DROP

     Remember to save your rules (e.g., using iptables-save > /etc/iptables/rules.v4) so they persist after a reboot.

   • Windows Firewall: Open ‘Windows Defender Firewall with Advanced Security’. Create new Inbound and Outbound Rules:
     • Rule Type: Custom
     • Program: All programs
     • Scope: Specify the unassigned IP address in both ‘Remote IP addresses’ sections.
     • Action: Block the connection.
   • Home Router Firewall: Look for a section called ‘Firewall’, ‘Security’, or similar. You’ll usually be able to add rules based on source/destination IP addresses and ports.
     Add a rule that blocks all traffic (or specific ports) to the unassigned IP address.
4. Test Your Rules: After creating the rules, test them to ensure they work as expected.
   • Ping Test: Try pinging the unassigned IP address from a device on your network. The ping should fail.

     ping 192.168.0.100

   • Port Scan: Use a port scanner (e.g., Nmap) to check if any ports are open on the unassigned IP address. They should all be closed.

     nmap -p 1-1000 192.168.0.100

5. Regular Review: Periodically review your DHCP server and firewall rules to ensure the unassigned IP addresses remain blocked and that no new, unused IPs are accidentally exposed.