North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackholes and IXs and Completing the Attack.

  • From: Roland Dobbins
  • Date: Sat Feb 02 21:03:42 2008
  • Authentication-results: hkg-dkim-1; header.From=rdobbins@cisco.com; dkim=pass ( sig from cisco.com/hkgdkim1002 verified; );
  • Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=720; t=1202003131; x=1202867131; c=relaxed/simple; s=hkgdkim1002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=rdobbins@cisco.com; z=From:=20Roland=20Dobbins=20<rdobbins@cisco.com> |Subject:=20Re=3A=20Blackholes=20and=20IXs=20and=20Completi ng=20the=20Attack. |Sender:=20; bh=cMM7YuC3XIsiQLbqd1uz/bW58Ll5LPe5nMmRDk1qipY=; b=glgRD7Q4BgYGoLuj4Af7WPNSNDx23vSJXR31WtryX7ZXlsSo3UDAy6WZCQ tDFvnkU3NVFYSRPVdYRKxX31j+6Jmkw2n5pLAEbjw8yjWCqz28viw0/3we7v 38Tbt/PNSXMEFwhr65FEgptKCWd9xlfI3C8abL1COnsYwPrv0VTdg=;



On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote:

We (Trend Micro) do something similar to this -- a black-hole BGP
feed of known botnet C&Cs, such that the C&C channel is effectively
black-holed.

What's the trigger (pardon the pun, heh) and process for removing IPs from the blackhole list post-cleanup, in Trend's case?


Is there a notification mechanism so that folks who may not subscribe to Trend's service but who are unwittingly hosting a botnet C&C are made aware of same?

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // 408.527.6376 voice

Culture eats strategy for breakfast.

-- Ford Motor Company