Botnet hunting resources (was: Re: DOS in progress ?)

Luke S Crawford lsc at
Fri Aug 7 23:57:19 CDT 2009

Jorge Amodio <jmamodio at> writes:

> Are folks seeing any major DOS in progress ?
> Twitter seems to be under one and FB is flaky.

>From what I understand, it's quite common.  I got hammered last week.
It took out some routers at my upstream (it was a tcp syn flood attack,
a whole lot of really small packets.  20Kpps was the peak I saw before
the upstream took me out.)

Now, I've cleaned up the mess;  (and for now, dropped the inexpensive upstream
with the weak routers)  I'm building out my monitoring infrastructure
and generally preparing for next time.

as far as stopping the attacks by 'finishing the job' - which is to say, 
blackholing the target, the way forward is pretty clear.   I mean, I need 
to do more research and implement stuff, but I don't really need NANOG help 
for that.  

The thing is, I like my customers.   I don't want to shut off people who
are paying me just because they get attacked.  I mean, if that's what I've 
got to do to keep my other paying customers up, I'll do it, but I'd really
rather not.

what is the 'best practice' here?  I mean, most of this is scripted,
so conceivably, I could get source addresses fast enough to block them
upstream.   (right now my provider is only allowing me to blackhole my own
space, not blackhole source addresses, which while it keeps me in business,
is not really what I want.)  My provider does seem to be pretty responsive,
so if I can bring them a tool, they might set it up for me.  

But yeah, I'm getting sidetracked.  I guess there are two things I want to

1. are there people who apply pressure to ISPs to get them to shut down 
botnets, like maps did for spam?

I've got 50 gigs of packet captures, and have been going through with 
perl to detect IPs who send me lots of tcp packets with 0 payloads, then 
manually sending abuse reports.   

Half the abuse reports bounce, and the other half are ignored.   
(most of the hosts in question are in china.)  

2. is there a standard way to push a null-route on the attackers source IP
upstream?   I know the problem is difficult due to trust issues, 
but if I could null route the source, it's just a matter of detecting abusive
traffic, and with this attack, that part was pretty easy.  

Luke S. Crawford         -   Hosting for the technically adept   -   We don't assume you are stupid.  

More information about the NANOG mailing list