Blackholes and IXs and Completing the Attack.
Paul Ferguson
fergdawg at netzero.net
Sun Feb 3 03:57:48 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Roland Dobbins <rdobbins at cisco.com> wrote:
>On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote:
>
>> We (Trend Micro) do something similar to this -- a black-hole BGP
>> feed of known botnet C&Cs, such that the C&C channel is effectively
>> black-holed.
>
>What's the trigger (pardon the pun, heh) and process for removing IPs
from the blackhole list post-cleanup, in Trend's case?
>
We have a team that does the vetting/validation and when the C&Cs
are taken down (or "decommissioned") they are removed from the
feed.
>Is there a notification mechanism so that folks who may not subscribe
to Trend's service but who are unwittingly hosting a botnet C&C are
made aware of same?
>
Well, we try to notify the owners of the identified hosts, but it
is not always successful... and sometimes the sheer churn is
prohibitive.
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFHpTu1q1pz9mNUZTMRAu+CAJ94j6AgqZgrMQ6b8HoPLyy4zBRcNgCfejWn
dAE2T+i2MtvpAJ2PNJmdTpc=
=N+iF
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
More information about the NANOG
mailing list