North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Blackholes and IXs and Completing the Attack.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- Roland Dobbins <[email protected]> wrote: >On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote: > >> We (Trend Micro) do something similar to this -- a black-hole BGP >> feed of known botnet C&Cs, such that the C&C channel is effectively >> black-holed. > >What's the trigger (pardon the pun, heh) and process for removing IPs from the blackhole list post-cleanup, in Trend's case? > We have a team that does the vetting/validation and when the C&Cs are taken down (or "decommissioned") they are removed from the feed. >Is there a notification mechanism so that folks who may not subscribe to Trend's service but who are unwittingly hosting a botnet C&C are made aware of same? > Well, we try to notify the owners of the identified hosts, but it is not always successful... and sometimes the sheer churn is prohibitive. - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHpTu1q1pz9mNUZTMRAu+CAJ94j6AgqZgrMQ6b8HoPLyy4zBRcNgCfejWn dAE2T+i2MtvpAJ2PNJmdTpc= =N+iF -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/