[nsp-sec] Revisiting the DDOS Route Server project
Florian Weimer
fweimer at bfk.de
Thu Aug 13 03:59:34 EDT 2009
* Hank Nussbacher:
> I have recently been thinking that perhaps we are not being affective
> against these C&Cs, if they decide to work via UDP and TCP. Since the
> /32 announcements will force all traffic *destined* to a C&C to be
> null-routed, we assume we have neutralized the C&C when all we have
> done is cut off half of the connection.
There are some routing platforms which turn null routes into source
address filters when running in strict or lose uRPF mode. But this is
not universally available, AFAIK.
> For TCP that is enough. But for UDP, if the botmaster realizes what
> we are doing (and I would assume that by now - after years of all of
> us null routing many of their C&C), all they need do is switch to
> UDP and send their instructions out to their bots via UDP, which we
> do not have any tools yet to stop.
At that point, the source address becomes meaningless anyway and you
can use spoofed packets to control bots. 8-/
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the nsp-security
mailing list