Botnet hunting resources
Joel Jaeggli
joelja at bogus.com
Sat Aug 8 14:37:24 UTC 2009
Roland Dobbins wrote:
>
> On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:
>
>> 2. is there a standard way to push a null-route on the attackers
>> source IP upstream?
>
> Sure - if you apply loose-check uRPF (and/or strict-check, when you can
> do so) on Cisco or Juniper routers, you can combine that with the
> blackhole to give you a source-based remotely-triggered blackhole, or
> S/RTBH. You can do this at your edges, and you *may* be able to arrange
> it with other networks with whom you connect (i.e., scope limited to
> your link with them).
Warren Kumari and other collaborated on a document to describe how this
is normally done:
http://tools.ietf.org/html/draft-ietf-opsec-blackhole-urpf-04
Coordination with your upstreams before you need this is important.
> Combine that with the other standard architectural and hardening BCPs,
> along with the DNS BCPs, and you'll be much better prepared to detect,
> classify, traceback, and mitigate attacks. The key is to ensure you're
> making use of hardware-based routers which can handle high pps.
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Unfortunately, inefficiency scales really well.
>
> -- Kevin Lawton
>
>
More information about the NANOG
mailing list