Friday, May 11, 2012

10 hours at work, 3 hours on the road... long damn day

I spent 9 hours today dealing with distributed botnet scans, floods, and relay attacks.

For those of us who are infosec professionals, and server or network admins; you all know how irritating, frustrating, and nearly futile that can be.

You can mitigate, and remediate, but not resolve.

Blocking subnets is only a partial solution. It doesn't work for very long, because the very nature of a distributed attack is such that it will simply shift to other subnets; and of course the same applys to blocking hosts.

And of course, that doesn't solve the problem of link saturation. You need to get your upstream provider to filter the traffic at their end... and you still have the same problem with shifting attack sources.

Oh and of course, when you blackhole entire netblocks, legitimate things sometimes break.

One lovely trick loved by botnetters is to compromise a host with a content distribution network front end (like Akamai), and using that to spread their attacks even further, hiding them in the legitimate traffic and making it effectively unblockable, unless you're willing to break a quarter of the entire internet into your site.

You can really go down a hole chasing this stuff down and trying to flyswat it.

I go fall down now.