Re: Botnet hunting resources (was: Re: DOS in progress ?)
goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Mon, 10 Aug 2009, Luke S Crawford wrote: goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? such a list would include all of chinanet and france telecom. it would likely not last long. what do you do when rogue networks are state owned? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? no. I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. consider how much time and effort it took to get intercage shut down and you'd realize it's pretty much a lost cause. -Dan
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. -- Nathan Ward
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Aug 10, 2009, at 5:34 AM, Nathan Ward na...@daork.net wrote: On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. I would say the problem plagues many diverse networks. The background radiation goes undetected by most people for cost reasons. It's cheaper to pass the bits then have a human convince someone their machine is compromised. The problem will continue to be acute as transit costs get even lower. - Jared
RE: Botnet hunting resources (was: Re: DOS in progress ?)
Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? [TLB:] No more than any anti-spam RBL or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? [TLB:] That's an ongoing raging debate. Some say, since enumerating badness cant' protect you against all threats, that you shouldn't' do it at all. My take is, if you can filter the worst actors early and fast, based on IP address, that gives you deeper packet devices more capacity, and saves you network bandwidth. It's been my experience that IP level blocking is a best practice as the second step (the first being selective availability of any service to only those it NEEDS to be, which in the case of many network operators is everywhere and everyone, and therefore a useless filter for a network operator) in a layered defense. If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. [TLB:] shameless plug That's what ThreatSTOP is for. We use DNS, not BGP, because there are far more traffic management devices (think Subscriber firewalls) that can use it, and because ATT has a patent on using BGP for block lists. /shameless plug
RE: Botnet hunting resources (was: Re: DOS in progress ?)
Some hardcore stuff on S/RTBH here: http://www.arbornetworks.com/index.php?option=com_docmantask=doc_downloadg id=112 http://www.cisco.com/web/about/security/intelligence/blackhole.pdf (which appears to have replaced http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf) http://www.nanog.org/meetings/nanog30/presentations/morrow.pdf http://pierky.wordpress.com/2009/05/31/gns3-lab-remote-triggered-black-holin g/ http://packetlife.net/blog/2009/jul/06/remotely-triggered-black-hole-rtbh-ro uting/ Frank -Original Message- From: Luke S Crawford [mailto:l...@prgmr.com] Sent: Saturday, August 08, 2009 3:15 AM To: Roland Dobbins Cc: NANOG list Subject: Re: Botnet hunting resources (was: Re: DOS in progress ?) Roland Dobbins rdobb...@arbor.net writes: On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote: 2. is there a standard way to push a null-route on the attackers source IP upstream? Sure - if you apply loose-check uRPF (and/or strict-check, when you can do so) on Cisco or Juniper routers, you can combine that with the blackhole to give you a source-based remotely-triggered blackhole, or S/RTBH. You can do this at your edges, and you *may* be able to arrange it with other networks with whom you connect (i.e., scope limited to your link with them). Ah, nice. thank you, that is exactly what I was looking for. I'll read up on it this weekend and see if I can talk my provider into letting me push that upstream. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. I've got 50 gigs of packet captures, and have been going through with perl to detect IPs who send me lots of tcp packets with 0 payloads, then manually sending abuse reports. Half the abuse reports bounce, and the other half are ignored. (most of the hosts in question are in china.) it's a big problem, especially with rogue networks like france and china. there is currently zero incentive for anyone clean up, as there are no consequences for not doing so. this will not change until there are real consequences for operating IP cesspools. -Dan
Botnet hunting resources (was: Re: DOS in progress ?)
Jorge Amodio jmamo...@gmail.com writes: Are folks seeing any major DOS in progress ? Twitter seems to be under one and FB is flaky. From what I understand, it's quite common. I got hammered last week. It took out some routers at my upstream (it was a tcp syn flood attack, a whole lot of really small packets. 20Kpps was the peak I saw before the upstream took me out.) Now, I've cleaned up the mess; (and for now, dropped the inexpensive upstream with the weak routers) I'm building out my monitoring infrastructure and generally preparing for next time. as far as stopping the attacks by 'finishing the job' - which is to say, blackholing the target, the way forward is pretty clear. I mean, I need to do more research and implement stuff, but I don't really need NANOG help for that. The thing is, I like my customers. I don't want to shut off people who are paying me just because they get attacked. I mean, if that's what I've got to do to keep my other paying customers up, I'll do it, but I'd really rather not. what is the 'best practice' here? I mean, most of this is scripted, so conceivably, I could get source addresses fast enough to block them upstream. (right now my provider is only allowing me to blackhole my own space, not blackhole source addresses, which while it keeps me in business, is not really what I want.) My provider does seem to be pretty responsive, so if I can bring them a tool, they might set it up for me. But yeah, I'm getting sidetracked. I guess there are two things I want to know: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? I've got 50 gigs of packet captures, and have been going through with perl to detect IPs who send me lots of tcp packets with 0 payloads, then manually sending abuse reports. Half the abuse reports bounce, and the other half are ignored. (most of the hosts in question are in china.) 2. is there a standard way to push a null-route on the attackers source IP upstream? I know the problem is difficult due to trust issues, but if I could null route the source, it's just a matter of detecting abusive traffic, and with this attack, that part was pretty easy. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.