[116581] in North American Network Operators' Group
Re: Botnet hunting resources (was: Re: DOS in progress ?)
daemon@ATHENA.MIT.EDU (Roland Dobbins)
Sat Aug 8 01:44:12 2009
From: Roland Dobbins <rdobbins@arbor.net>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <m3iqgysy1c.fsf@luke.xen.prgmr.com>
Date: Sat, 8 Aug 2009 12:45:29 +0700
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:
> 2. is there a standard way to push a null-route on the attackers
> source IP upstream?
Sure - if you apply loose-check uRPF (and/or strict-check, when you
can do so) on Cisco or Juniper routers, you can combine that with the
blackhole to give you a source-based remotely-triggered blackhole, or
S/RTBH. You can do this at your edges, and you *may* be able to
arrange it with other networks with whom you connect (i.e., scope
limited to your link with them).
Combine that with the other standard architectural and hardening BCPs,
along with the DNS BCPs, and you'll be much better prepared to detect,
classify, traceback, and mitigate attacks. The key is to ensure
you're making use of hardware-based routers which can handle high pps.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
Unfortunately, inefficiency scales really well.
-- Kevin Lawton
