Some hardcore stuff on S/RTBH here: http://www.arbornetworks.com/index.php?option=com_docman&task=doc_download&g id=112 http://www.cisco.com/web/about/security/intelligence/blackhole.pdf (which appears to have replaced http://www.cisco.com/warp/public/732/Tech/security/docs/blackhole.pdf) http://www.nanog.org/meetings/nanog30/presentations/morrow.pdf http://pierky.wordpress.com/2009/05/31/gns3-lab-remote-triggered-black-holin g/ http://packetlife.net/blog/2009/jul/06/remotely-triggered-black-hole-rtbh-ro uting/
Frank -----Original Message----- From: Luke S Crawford [mailto:l...@prgmr.com] Sent: Saturday, August 08, 2009 3:15 AM To: Roland Dobbins Cc: NANOG list Subject: Re: Botnet hunting resources (was: Re: DOS in progress ?) Roland Dobbins <rdobb...@arbor.net> writes: > On Aug 8, 2009, at 11:57 AM, Luke S Crawford wrote: > > > 2. is there a standard way to push a null-route on the attackers > > source IP upstream? > > Sure - if you apply loose-check uRPF (and/or strict-check, when you > can do so) on Cisco or Juniper routers, you can combine that with the > blackhole to give you a source-based remotely-triggered blackhole, or > S/RTBH. You can do this at your edges, and you *may* be able to > arrange it with other networks with whom you connect (i.e., scope > limited to your link with them). Ah, nice. thank you, that is exactly what I was looking for. I'll read up on it this weekend and see if I can talk my provider into letting me push that upstream. -- Luke S. Crawford http://prgmr.com/xen/ - Hosting for the technically adept http://nostarch.com/xen.htm - We don't assume you are stupid.
