[nsp-sec] Revisiting the DDOS Route Server project
Hank Nussbacher
hank at efes.iucc.ac.il
Thu Aug 13 00:31:03 EDT 2009
As many of us are aware the DDOS Route Server project:
https://www.cymru.com/nsp-sec/DDoS-RS/
has done more than almost any effort to curb the tide against botnets.
I have recently been thinking that perhaps we are not being affective
against these C&Cs, if they decide to work via UDP and TCP. Since the /32
announcements will force all traffic *destined* to a C&C to be null-routed,
we assume we have neutralized the C&C when all we have done is cut off half
of the connection. For TCP that is enough. But for UDP, if the botmaster
realizes what we are doing (and I would assume that by now - after years of
all of us null routing many of their C&C), all they need do is switch to
UDP and send their instructions out to their bots via UDP, which we do not
have any tools yet to stop.
So, what can we as a community do to augment the DDOS Route Server to make
it even better?
-Hank
More information about the nsp-security
mailing list