4 Tips to Fight Botnets

Filtering Techniques to Battle Bots

RFC3704 Filtering

Basic ACL filters. The main premise of RFC3704 is that packets should be sourced from valid, allocated address space, consistent with the topology and space allocation. To this end there is a list of all unused or reserved IP addresses, those you should never see coming in from the Internet. If you do see them, then it is positively a spoofed source IP and should be dropped. The name of this list is the bogon list You should check with your ISP to see if they will manage this filtering for you in the cloud before the bogus traffic enters (and fills) you Internet link. A bogon list changes pretty frequently, about once a month, so if the ISP won't do it for you then you'll have to manage your own bogon ACL rules (or find another ISP). This updating could be scripted as well.

Black Hole Filtering

This is a common technique that is very efficient. Typically, this needs to be done in conjunction with your ISP. RTBH filtering is a technique that provides the ability to drop undesirable traffic before it enters a protected network. It uses BGP host routes to route traffic heading to victim servers to a null0 next hop. RTBH has several variations but one stands out as is worth special mention. Performing RTBH with your ISP (check with your ISP for support, they should) lets them drop the traffic in the cloud for you thus preventing a DoS on your pipe. Block Hole filtering is a large topic, if you're interested in learning more about it, I'd suggest reading this whitepaper Remotely Triggered Black Hole filtering (RTBH).

Cisco IPS 7.0 Source IP Reputation Filtering

Cisco recently released the IPS 7.0 code upgrade. This upgrade includes a feature called global correlation. In a nutshell, global correlation checks the reputation score of every source IP address it sees. If the source's reputation is bad the IPS sensor can drop the traffic or raise the Risk Rating value of a signature hit. Now here is Cisco's description of what Global Correlation does:

IPS 7.0 contains a new security capability, Cisco Global Correlation, which uses the immense security intelligence that we have amassed over the years. At regular intervals, Cisco IPS receives threat updates from the Cisco SensorBase Network, which contain detailed information about known threats on the Internet, including serial attackers, Botnet harvesters, Malware outbreaks, and dark nets. The IPS uses this information to filter out the worst attackers before they have a chance to attack critical assets. It then incorporates the global threat data in to its system to detect and prevent malicious activity even earlier.

You can configure Global Correlation so that your sensors are aware of network devices with a reputation for malicious activity, and can take action against them.


One of the ways Cisco refines the SensorBase is by taking in feeds from the deployed Cisco 7.0 IPS sensors. Companies can choose to opt in or out of the program.

The SensorBase that the Cisco IPS uses is full of different threat categories, two of which are Botnet harvesters and previous DoS offenders. Therefore, when you are under attack from a Botnet DDoS attack the Sensor will drop all of the traffic coming from bad reputation sources. This process happens before the signatures are used and is very inexpensive to the sensors' resources (CPU, backplane, etc). This makes it an ideal method to utilize during a DDoS attack. It is also why the Cisco IPS checks the SensorBase before processing its IPS signatures.

Many Botnet DDoS attacks use SSL to your web servers. This helps the attacker hide his payload from any inspection engines you may have. However, given that Global Correlation only uses the reputation score of the source IP address to makes its decision it has no issues defending against SSL DDoS attacks. No other IPS vendor has added reputation to their IPS solution so they would be unable to defend against any form of SSL DDoS attack. Some IPS vendors do have the ability to open up and look inside SSL packets by decrypting them on the fly. However, this process is too expensive on the IPS's resources (CPU, backplane, memory, etc) to be used in a DDoS attack. It would simply move the traffic bottleneck to the sensor itself.

Of course, if the DDoS attack is saturating your link this tactic likely won't work. But if the DDoS attack is just overwhelming some servers and not all your bandwidth then this works great. Global Correlation is not a silver bullet but rather another tool in your toolbox.

Subscribe to the Daily Downloads Newsletter

Comments