[116585] in North American Network Operators' Group
RE: Botnet hunting resources (was: Re: DOS in progress ?)
daemon@ATHENA.MIT.EDU (Frank Bulk)
Sat Aug 8 12:37:32 2009
X-Barracuda-Envelope-From: frnkblk@iname.com
From: "Frank Bulk" <frnkblk@iname.com>
To: "'Luke S Crawford'" <lsc@prgmr.com>
In-Reply-To: <m3hbwirabb.fsf@luke.xen.prgmr.com>
Date: Sat, 8 Aug 2009 11:35:42 -0500
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Some hardcore stuff on S/RTBH here:
http://www.arbornetworks.com/index.php?option=com_docman&task=doc_download&g
id=112
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf (which
appears to have replaced
http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf)
http://www.nanog.org/meetings/nanog30/presentations/morrow.pdf
http://pierky.wordpress.com/2009/05/31/gns3-lab-remote-triggered-black-holin
g/
http://packetlife.net/blog/2009/jul/06/remotely-triggered-black-hole-rtbh-ro
uting/
Frank
-----Original Message-----
From: Luke S Crawford [mailto:lsc@prgmr.com]
Sent: Saturday, August 08, 2009 3:15 AM
To: Roland Dobbins
Cc: NANOG list
Subject: Re: Botnet hunting resources (was: Re: DOS in progress ?)
Roland Dobbins <rdobbins@arbor.net> writes:
> On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote:
>
> > 2. is there a standard way to push a null-route on the attackers
> > source IP upstream?
>
> Sure - if you apply loose-check uRPF (and/or strict-check, when you
> can do so) on Cisco or Juniper routers, you can combine that with the
> blackhole to give you a source-based remotely-triggered blackhole, or
> S/RTBH. You can do this at your edges, and you *may* be able to
> arrange it with other networks with whom you connect (i.e., scope
> limited to your link with them).
Ah, nice. thank you, that is exactly what I was looking for.
I'll read up on it this weekend and see if I can talk my provider into
letting
me push that upstream.
--
Luke S. Crawford
http://prgmr.com/xen/ - Hosting for the technically adept
http://nostarch.com/xen.htm - We don't assume you are stupid.
