RE: Botnet hunting resources (was: Re: DOS in progress ?)

["Tomas L. Byrnes" <tomb () byrneit net>]

> Why do you think this might be?  Fear of (extralegal) retaliation by
> botnet owners?  or fear of getting sued by listed network owners? 
[TLB:] No more than any anti-spam RBL
  or
> is
> the idea (shunning packets from ISPs that host botnets)  fundamentally
> unsound?
[TLB:] That's an ongoing raging debate. Some say, since enumerating
badness cant' protect you against all threats, that you shouldn't' do it
at all. My take is, if you can filter the worst actors early and fast,
based on IP address, that gives you deeper packet devices more capacity,
and saves you network bandwidth. It's been my experience that IP level
blocking is a best practice as the second step (the first being
selective availability of any service to only those it NEEDS to be,
which in the case of many network operators is everywhere and everyone,
and therefore a useless filter for a network operator) in a layered
defense.

> If someone sufficiently trustworthy produced a BGP feed of networks
that
> were unresponsive to abuse complaints, do you think other networks
would
> use
> it to block traffic?  I mean, ultimately I think that having several
> providers of such feeds with differing levels of aggression would be
the
> best
> case, but someone has got to go first.
[TLB:] <shameless plug>
That's what ThreatSTOP is for.
We use DNS, not BGP, because there are far more traffic management
devices (think Subscriber firewalls) that can use it, and because AT&T
has a patent on using BGP for block lists.
</shameless plug>