We need a cost effective and performant way of blocking botnet traffic in SP networks. Fact is the only way to enforce network policy is from within the network. Laws, putting the onous on users, notifying infected users, etc will never work. We can't expect to solve them all, but at least make it more diffcult by a large margin to run these things. For example blacklisting domains where spam is coming from doesn't stop the problem, but it does help in a big way. Over 800k domains, but I bet they were not using nearly that many IPs. It would be nice to take info from various honeypots about CNC servers and just blackhole those IPs in one way or another very quickly. I don't want to suggest a method of doing this, just as a idea to play around with. -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Scott Weeks Sent: Thursday, December 1, 2016 1:45 PM To: nanog@nanog.org Subject: Re: Avalanche botnet takedown --- rfg@tristatelogic.com wrote: From: "Ronald F. Guilmette" <rfg@tristatelogic.com> The Internet, viewed as an organism, quite clearly has, at present, numerous autoimmune diseases. It is attacking itself. And its immune system, such as it is, clearly ain't working. There's going to come a day of reckoning when it will no longer be possible to paper over this sad and self-evident fact. (And no, I'm *not* talking about the fabled "Digital Pearl Harbor". I'm talking instead about the Internet equivalent of the meteor that wiped out the dinosaurs.) --------------------------------------------------- What is your suggestion to keep the sky from falling? scott