[nsp-sec] Revisiting the DDOS Route Server project
Hank Nussbacher
hank at efes.iucc.ac.il
Thu Aug 13 00:59:13 EDT 2009
At 00:52 13/08/2009 -0400, Seth Hall wrote:
>On Aug 13, 2009, at 12:31 AM, Hank Nussbacher wrote:
>
>> But for UDP, if the botmaster realizes what we are doing (and I
>>would assume that by now - after years of all of us null routing
>>many of their C&C), all they need do is switch to UDP and send their
>>instructions out to their bots via UDP, which we do not have any
>>tools yet to stop.
>
>I assume that some HTTP/IRC botnet transformed into a UDP botnet would
>still need to do the initial checkin which would still be stopped by
>the route server as long as the checkin server was being announced.
>No bots check in, no commands sent out.
The botherder doesn't care for the bots to check-in. He knows they are out
there, some listening, some not, and waiting for his wake-up call. One
simple UDP packet and he instructs them all to attack.
-Hank
>>So, what can we as a community do to augment the DDOS Route Server
>>to make it even better?
>
>
>Maybe the question is more, how could the ddos route server change to
>deal with some of the more exotic fastfluxing and P2P botnets?
>
> .Seth
>
>---
>Seth Hall
>Network Security - Office of the CIO
>The Ohio State University
>Phone: 614-292-9721
More information about the nsp-security
mailing list