Re: Blackholes and IXs and Completing the Attack.

["Paul Ferguson" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -- Roland Dobbins <rdobbins () cisco com> wrote:

> On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote:
>
> > We (Trend Micro) do something similar to this -- a black-hole BGP
> > feed of known botnet C&Cs, such that the C&C channel is effectively
> > black-holed.
>
> What's the trigger (pardon the pun, heh) and process for removing IPs  
from the blackhole list post-cleanup, in Trend's case?
>

We have a team that does the vetting/validation and when the C&Cs
are taken down (or "decommissioned") they are removed from the
feed.

> Is there a notification mechanism so that folks who may not subscribe  
to Trend's service but who are unwittingly hosting a botnet C&C are  
made aware of same?
>

Well, we try to notify the owners of the identified hosts, but it
is not always successful... and sometimes the sheer churn is
prohibitive.

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFHpTu1q1pz9mNUZTMRAu+CAJ94j6AgqZgrMQ6b8HoPLyy4zBRcNgCfejWn
dAE2T+i2MtvpAJ2PNJmdTpc=
=N+iF
-----END PGP SIGNATURE-----

--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/