Re: Botnet hunting resources (was: Re: DOS in progress ?)
goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Mon, 10 Aug 2009, Luke S Crawford wrote: goe...@anime.net writes: On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. ... Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? such a list would include all of chinanet and france telecom. it would likely not last long. what do you do when rogue networks are state owned? If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? no. I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. consider how much time and effort it took to get intercage shut down and you'd realize it's pretty much a lost cause. -Dan
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. -- Nathan Ward
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Aug 10, 2009, at 5:34 AM, Nathan Ward na...@daork.net wrote: On 10/08/2009, at 8:11 PM, goe...@anime.net wrote: such a list would include all of chinanet and france telecom. it would likely not last long. You've mentioned France twice now. Is there a big botnet problem there? I've never heard of anything like that. I'll admit I don't follow this area of the network closely, but I'm sure there are other places higher up the list than FTE.. I would say the problem plagues many diverse networks. The background radiation goes undetected by most people for cost reasons. It's cheaper to pass the bits then have a human convince someone their machine is compromised. The problem will continue to be acute as transit costs get even lower. - Jared
RE: Botnet hunting resources (was: Re: DOS in progress ?)
Why do you think this might be? Fear of (extralegal) retaliation by botnet owners? or fear of getting sued by listed network owners? [TLB:] No more than any anti-spam RBL or is the idea (shunning packets from ISPs that host botnets) fundamentally unsound? [TLB:] That's an ongoing raging debate. Some say, since enumerating badness cant' protect you against all threats, that you shouldn't' do it at all. My take is, if you can filter the worst actors early and fast, based on IP address, that gives you deeper packet devices more capacity, and saves you network bandwidth. It's been my experience that IP level blocking is a best practice as the second step (the first being selective availability of any service to only those it NEEDS to be, which in the case of many network operators is everywhere and everyone, and therefore a useless filter for a network operator) in a layered defense. If someone sufficiently trustworthy produced a BGP feed of networks that were unresponsive to abuse complaints, do you think other networks would use it to block traffic? I mean, ultimately I think that having several providers of such feeds with differing levels of aggression would be the best case, but someone has got to go first. [TLB:] shameless plug That's what ThreatSTOP is for. We use DNS, not BGP, because there are far more traffic management devices (think Subscriber firewalls) that can use it, and because ATT has a patent on using BGP for block lists. /shameless plug
RE: Botnet hunting resources (was: Re: DOS in progress ?)
Some hardcore stuff on S/RTBH here: http://www.arbornetworks.com/index.php?option=com_docmantask=doc_downloadg id=112 http://www.cisco.com/web/about/security/intelligence/blackhole.pdf (which appears to have replaced http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf) http://www.nanog.org/meetings/nanog30/presentations/morrow.pdf http://pierky.wordpress.com/2009/05/31/gns3-lab-remote-triggered-black-holin g/ http://packetlife.net/blog/2009/jul/06/remotely-triggered-black-hole-rtbh-ro uting/ Frank -Original Message- From: Luke S Crawford [mailto:l...@prgmr.com] Sent: Saturday, August 08, 2009 3:15 AM To: Roland Dobbins Cc: NANOG list Subject: Re: Botnet hunting resources (was: Re: DOS in progress ?) Roland Dobbins rdobb...@arbor.net writes: On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote: 2. is there a standard way to push a null-route on the attackers source IP upstream? Sure - if you apply loose-check uRPF (and/or strict-check, when you can do so) on Cisco or Juniper routers, you can combine that with the blackhole to give you a source-based remotely-triggered blackhole, or S/RTBH. You can do this at your edges, and you *may* be able to arrange it with other networks with whom you connect (i.e., scope limited to your link with them). Ah, nice. thank you, that is exactly what I was looking for. I'll read up on it this weekend and see if I can talk my provider into letting me push that upstream. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.
Re: Botnet hunting resources (was: Re: DOS in progress ?)
On Fri, 8 Aug 2009, Luke S Crawford wrote: 1. are there people who apply pressure to ISPs to get them to shut down botnets, like maps did for spam? sadly no. I've got 50 gigs of packet captures, and have been going through with perl to detect IPs who send me lots of tcp packets with 0 payloads, then manually sending abuse reports. Half the abuse reports bounce, and the other half are ignored. (most of the hosts in question are in china.) it's a big problem, especially with rogue networks like france and china. there is currently zero incentive for anyone clean up, as there are no consequences for not doing so. this will not change until there are real consequences for operating IP cesspools. -Dan