[nsp-sec] Revisiting the DDOS Route Server project
Scott A. McIntyre
scott at xs4all.net
Thu Aug 13 02:15:41 EDT 2009
Hi,
On Aug 13, 2009, at 08:06 , Seth Hall wrote:
> ----------- nsp-security Confidential --------
>
>
> On Aug 13, 2009, at 12:59 AM, Hank Nussbacher wrote:
>
>> The botherder doesn't care for the bots to check-in. He knows they
>> are out there, some listening, some not, and waiting for his wake-
>> up call. One simple UDP packet and he instructs them all to attack.
>
> Are you thinking that they might send that single UDP packet to
> every IPv4 address to compensate for not doing checkins?
I think that Hank's point is that the way most of us have the DDoS-RS
peerings set up we only null-route traffic sent *to* addresses
advertised. I'm not sure how many have tried to make the right router-
fu that would actually reject packets *from* entries based on some
routing policy statements/maps/whatever. I've never looked into that,
but certainly we only use it as a list of addresses to dump as a
destination.
The theoretical loophole here is that if the malware which is obtained
by your standard drive-by or broken flash/pdf/whatnot, is programmed
to listen for a UDP packet to control it from an IP address which is
on the list, that the packet could still arrive and control the
malicious code. No need to check in. No need to phone home.
Just a hunch.
Scott A. McIntyre
XS4ALL
More information about the nsp-security
mailing list