North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackholes and IXs and Completing the Attack.

  • From: Paul Ferguson
  • Date: Sat Feb 02 23:03:10 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Roland Dobbins <[email protected]> wrote:

>On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote:
>
>> We (Trend Micro) do something similar to this -- a black-hole BGP
>> feed of known botnet C&Cs, such that the C&C channel is effectively
>> black-holed.
>
>What's the trigger (pardon the pun, heh) and process for removing IPs  
from the blackhole list post-cleanup, in Trend's case?
>

We have a team that does the vetting/validation and when the C&Cs
are taken down (or "decommissioned") they are removed from the
feed.

>Is there a notification mechanism so that folks who may not subscribe  
to Trend's service but who are unwittingly hosting a botnet C&C are  
made aware of same?
>

Well, we try to notify the owners of the identified hosts, but it
is not always successful... and sometimes the sheer churn is
prohibitive.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHpTu1q1pz9mNUZTMRAu+CAJ94j6AgqZgrMQ6b8HoPLyy4zBRcNgCfejWn
dAE2T+i2MtvpAJ2PNJmdTpc=
=N+iF
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/