On Wed, 3 Jan 2007, Andy Davidson wrote:
From a 'problem solving' perspective, a Team Cymru-style bgp peer that injected very specific routes into their routing table, and matching configuration which caused those particular routes to be dropped would be ideal. Additions and deletions would be as close to real-time as possible.
From a political perspective, I could only advocate to clients such a service that had a strict policy of adding routes to addresses because of a provable policy infringement. For example, a route for 1.2.3.4/32 would only be announced by my bgp-blacklist peer if it could be demonstrated that a device reachable at 1.2.3.4 was an open http proxy (or socks proxy, or smtp relay).... and not because a phishing site was hosted there. Different priorities for different networks I guess ..
disclaimer: I do development work for the company I'm about to endorse. I endorsed this product before when I was a client. I've since left my previous position and gone to work on it. This is one of the very few posts I'll ever make that's in any way representative of an employer. Mainnerve's Darknet product is exactly that: A managed blacklist of malicious/hacked sites. Currently, phishing sites and open proxies, make it into blacklist, but drone network C&Cs do. Darknet is intended to intercept traffic leaving your network to known C&Cs. Currently, this involves a device deployed to your network, that hosts a BGP peer to your network to supply the blackhole routes, redirecting the C&C traffic to the darknet device for packet analysis. I'm currently working on a newer implementation that involves just a BGP peering session and a GRE tunnel, to eliminate the hardware deployment and simplify the whole process, so it functions very much like the bogon filter. - billn