Top 4 Tips to Fight Off Botnet Denial of Service Attacks

Great article. Thinking that because my business is not too popular is the worst thing that you can do to damage your business continuity plan. Do you know that from the underground market (like RBN) you can buy a botnet C&C with a pretty simple to use web interface for 2 days , under 400 USD (also with 24 hours tech support) ? just enter the ip address of the victim and then blown up their whole internet connectivity. very small garbage packets from infected hosts distributed from US to Uganda that can overvelmed even 100Mbps bandwidth.
It think today DDOS attack can only mitigated from upstream service provider but as Jamey noted the other steps can be useful in some case.i just want to add a few resource to this great article that maybe can help.

1- Unused IP Address space that maintained by IANA and constantly updated:

http://www.iana.org/assignments/ipv4-address-space/

(look at the Status as UNALLOCATED )

2- Drop malicious traffic from bad reputation IP address , include C&C , RBN , … :

http://www.emergingthreats.net/fwrules/

this provide IP packet filter for Linux-Netfilter , Cisco PIX/ASA and IPF

3- Use Still valuable ACL on your Internet Edge to Drop risky services and protocols. for example most (to the modern one) C&C use IRC to communicate with Agents. drop the connections to/from that ports can help (not really stop DDOS attack , but can prevent your internal infected hosts from participating in Botnet )

deny tcp any any range 6660 6669
deny tcp any range 6660 6669 any

you will find interesting new Cisco Techwise TV that talk about new strategy regarding to the increasing threat of Botnet.

http://www.cisco.com/en/US/solutions/ns340/ns339/ns638/ns914/html_TWTV/twtv_episode_45.html

i forget it in the last post.this is a great site regarding the current topic.
http://www.team-cymru.org/Services/Bogons/

According to an item on this site:
http://www.asiacxo.com/pastissue/article.asp?art=26061&issue=154, "...two years ago...hackers targeted dozens of major international sports betting firms...timing their attacks to coincide with lucrative sporting events...the culprits then demanded up to US$50,000 to stop further sabotage."

According to this article, "Some are believed to have given into the criminals’ demands until, eventually, investigators traced the attack back to Russia and arrests were made."

And I guess that's my question. How is the payment of a "ransom" accomplished in such a way that the recipients can't be tracked. Sometime, somewhere, real money has to change hands. And when that happens, it is possible to catch the culprits.

But the overall impression I'm getting is that almost no one pays any ransom. DDoS attacks are troublesome, but as the article notes, there are ways to work around them.

But it's like spam--email to your accounts may be filtered, and your users may never see the junk, but it's out there, slowing everything down.

Thanks for the comments and info.
here is a site that talks about some money laundering methods
http://money.howstuffworks.com/money-laundering1.htm
-Jamey

I have found that IP Source Guard requires a fair amount of maintenance and tuning. A simpler solution is to use uRPF on edge VLAN interfaces. This isn't quite as complete as IPSG since a host can still spoof another IP address in its own subnet, but it stops the majority of spoofing problems.

Reference:
http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html

We are a leading webhosting company in the US. We found that the Cisco solution is too expensive for most of us. IntruGuard has a product range that we use for providing a DDoS scrubbing solution to our customers. IntruGuard appliances provide the capability to clean packets to and from bogon addresses, hardware based SYN proxy, connection limiting, botnet flood mitigation etc. I've used other products for DDoS mitigation with much nicer management, and reporting tools, but none of those products have come close to the actual detection and mitigation capabilities built into this product.

If you appreciate sleep and hair.

See the following link for full thread:
https://puck.nether.net/pipermail/juniper-nsp/2009-February/012591.html

"After doing further investigation, I found that in-fact my Cisco-vxr
Npe-g2 and g1 in the path (between M7i and customer router) suffered
the Dos and due to cpu saturation the bgp flapped. Earlier I did not
noticed because the cpu utilization graph of Cisco showed only 50% in
npe-g2 and 80% in npe-g1 and straightened perhaps it was not responding
mrtg polling, however "show proc cpu history" showed the different
story.

M7i was not affected...bravo Juniper..!

Thanks everyone.

Regards,
Samit"