Botnet hunting resources

Joel Jaeggli joelja at
Sat Aug 8 09:37:24 CDT 2009

Roland Dobbins wrote:
> On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:
>> 2. is there a standard way to push a null-route on the attackers
>> source IP upstream?
> Sure - if you apply loose-check uRPF (and/or strict-check, when you can
> do so) on Cisco or Juniper routers, you can combine that with the
> blackhole to give you a source-based remotely-triggered blackhole, or
> S/RTBH.  You can do this at your edges, and you *may* be able to arrange
> it with other networks with whom you connect (i.e., scope limited to
> your link with them).

Warren Kumari and other collaborated on a document to describe how this
is normally done:

Coordination with your upstreams before you need this is important.

> Combine that with the other standard architectural and hardening BCPs,
> along with the DNS BCPs, and you'll be much better prepared to detect,
> classify, traceback, and mitigate attacks.  The key is to ensure you're
> making use of hardware-based routers which can handle high pps.
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at> // <>
>         Unfortunately, inefficiency scales really well.
>            -- Kevin Lawton

More information about the NANOG mailing list