[nsp-sec] Revisiting the DDOS Route Server project

[SURFcert - Peter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Scott A. McIntyre wrote on 13-8-2009 8:15:

>>> The botherder doesn't care for the bots to check-in.  He knows they
>>> are out there, some listening, some not, and waiting for his wake-up
>>> call.  One simple UDP packet and he instructs them all to attack.
>>
>> Are you thinking that they might send that single UDP packet to every
>> IPv4 address to compensate for not doing checkins?
> 
> I think that Hank's point is that the way most of us have the DDoS-RS
> peerings set up we only null-route traffic sent *to* addresses
> advertised.  I'm not sure how many have tried to make the right
> router-fu that would actually reject packets *from* entries based on
> some routing policy statements/maps/whatever.  I've never looked into
> that, but certainly we only use it as a list of addresses to dump as a
> destination.

We (at University Twente and a number of other universities) are using
source-based routing to redirect infected systems in our network to a
website explaining them what they have been up to. I have to check in
but I believe we block or redirect external IP addresses the same way
too. So no matter what protocol they use they will be trapped.

- --
Peter Peters
SURFcert Officer off Duty
cert at surfnet.nl                            http://cert.surfnet.nl/
office-hours: +31 302 305 305    emergency (24/7): +31 622 923 564
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFKg8TzelLo80lrIdIRAqbLAJ0RRtsaGeEQCpZ7CzOOIfbv+qDUJQCfe60g
Wu2dwGWiVCUg3xOwo8raWuo=
=5Ypc
-----END PGP SIGNATURE-----