nanog mailing list archives

Re: Botnet hunting resources

From: Joel Jaeggli <joelja () bogus com>
Date: Sat, 08 Aug 2009 07:37:24 -0700



Roland Dobbins wrote:


On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:

2. is there a standard way to push a null-route on the attackers
source IP upstream?


Sure - if you apply loose-check uRPF (and/or strict-check, when you can
do so) on Cisco or Juniper routers, you can combine that with the
blackhole to give you a source-based remotely-triggered blackhole, or
S/RTBH.  You can do this at your edges, and you *may* be able to arrange
it with other networks with whom you connect (i.e., scope limited to
your link with them).


Warren Kumari and other collaborated on a document to describe how this
is normally done:

http://tools.ietf.org/html/draft-ietf-opsec-blackhole-urpf-04

Coordination with your upstreams before you need this is important.

Combine that with the other standard architectural and hardening BCPs,
along with the DNS BCPs, and you'll be much better prepared to detect,
classify, traceback, and mitigate attacks.  The key is to ensure you're
making use of hardware-based routers which can handle high pps.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

        Unfortunately, inefficiency scales really well.

           -- Kevin Lawton

Current thread:

Re: DOS in progress ?, (continued)
- - - Re: DOS in progress ? Jorge Amodio (Aug 06)
    - Re: DOS in progress ? Christoph Blecker (Aug 06)
    - Re: DOS in progress ? Marshall Eubanks (Aug 06)
    - Re: DOS in progress ? Bill Woodcock (Aug 06)
    - Re: DOS in progress ? Marshall Eubanks (Aug 06)
    - Re: DOS in progress ? Bill Woodcock (Aug 06)
- Botnet hunting resources (was: Re: DOS in progress ?) Luke S Crawford (Aug 07)
  - Re: Botnet hunting resources (was: Re: DOS in progress ?) Roland Dobbins (Aug 07)
    - Re: Botnet hunting resources (was: Re: DOS in progress ?) Luke S Crawford (Aug 08)
    - RE: Botnet hunting resources (was: Re: DOS in progress ?) Frank Bulk (Aug 08)
    - Re: Botnet hunting resources Joel Jaeggli (Aug 08)
  - Re: Botnet hunting resources (was: Re: DOS in progress ?) goemon (Aug 08)
    - Re: Botnet hunting resources (was: Re: DOS in progress ?) Luke S Crawford (Aug 10)
    - Re: Botnet hunting resources (was: Re: DOS in progress ?) goemon (Aug 10)
    - Re: Botnet hunting resources (was: Re: DOS in progress ?) Nathan Ward (Aug 10)
    - Re: Botnet hunting resources (was: Re: DOS in progress ?) Jared Mauch (Aug 10)
    - RE: Botnet hunting resources (was: Re: DOS in progress ?) Tomas L. Byrnes (Aug 10)
  - Re: Botnet hunting resources J.D. Falk (Aug 10)
    - Re: Botnet hunting resources Jack Bates (Aug 11)
    - RE: Botnet hunting resources Bradley Freeman (Aug 11)
    - RE: Botnet hunting resources Tomas L. Byrnes (Aug 11)

(Thread continues...)