Botnet hunting resources

Joel Jaeggli joelja at bogus.com
Sat Aug 8 09:37:24 CDT 2009


Roland Dobbins wrote:
> 
> On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:
> 
>> 2. is there a standard way to push a null-route on the attackers
>> source IP upstream?
> 
> Sure - if you apply loose-check uRPF (and/or strict-check, when you can
> do so) on Cisco or Juniper routers, you can combine that with the
> blackhole to give you a source-based remotely-triggered blackhole, or
> S/RTBH.  You can do this at your edges, and you *may* be able to arrange
> it with other networks with whom you connect (i.e., scope limited to
> your link with them).

Warren Kumari and other collaborated on a document to describe how this
is normally done:

http://tools.ietf.org/html/draft-ietf-opsec-blackhole-urpf-04

Coordination with your upstreams before you need this is important.

> Combine that with the other standard architectural and hardening BCPs,
> along with the DNS BCPs, and you'll be much better prepared to detect,
> classify, traceback, and mitigate attacks.  The key is to ensure you're
> making use of hardware-based routers which can handle high pps.
> 
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
> 
>         Unfortunately, inefficiency scales really well.
> 
>            -- Kevin Lawton
> 
> 




More information about the NANOG mailing list