[102262] in North American Network Operators' Group
Re: Blackholes and IXs and Completing the Attack.
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Sat Feb 2 23:01:04 2008
From: "Paul Ferguson" <fergdawg@netzero.net>
Date: Sun, 3 Feb 2008 03:57:48 GMT
To: rdobbins@cisco.com
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -- Roland Dobbins <rdobbins@cisco.com> wrote:
>On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote:
>
>> We (Trend Micro) do something similar to this -- a black-hole BGP
>> feed of known botnet C&Cs, such that the C&C channel is effectively
>> black-holed.
>
>What's the trigger (pardon the pun, heh) and process for removing IPs =
=
from the blackhole list post-cleanup, in Trend's case?
>
We have a team that does the vetting/validation and when the C&Cs
are taken down (or "decommissioned") they are removed from the
feed.
>Is there a notification mechanism so that folks who may not subscribe =
=
to Trend's service but who are unwittingly hosting a botnet C&C are =
made aware of same?
>
Well, we try to notify the owners of the identified hosts, but it
is not always successful... and sometimes the sheer churn is
prohibitive.
- - ferg
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)
wj8DBQFHpTu1q1pz9mNUZTMRAu+CAJ94j6AgqZgrMQ6b8HoPLyy4zBRcNgCfejWn
dAE2T+i2MtvpAJ2PNJmdTpc=3D
=3DN+iF
-----END PGP SIGNATURE-----
--
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet
fergdawg(at)netzero.net
ferg's tech blog: http://fergdawg.blogspot.com/
