The NIST has proposed a framework for operators to notify botnet victims. The call for comments and article discussing it are described here: https://www.infosecisland.com/blogview/17021-Government-Proposes-ISPs-Notif y-Victims-of-Botnets.html#.TotXA6C-16Q.twitter "Comments on the proposed Code of Conduct and botnet reporting initiative are due on or before 5 p.m. EDT, November 4, 2011. Written comments on the proposal may be submitted by mail to the National Institute of Standards and Technology at the U.S. Department of Commerce, 1401 Constitution Avenue, NW., Room 4822, Washington, DC 20230. Submissions may be in any of the following formats: HTML, ASCII, Word, rtf, or pdf. Online comment submissions in electronic form may be sent to Consumer_Notice_RFI@nist.gov. Paper submissions should include a compact disc (CD). CDs should be labeled with the name and organizational affiliation of the filer and the name of the word processing program used to create the document. Comments will be posted at http://www.nist.gov/itl/. A list of questions are included in the Request for Information, and can be accessed at the source link below: Source: http://www.federalregister.gov/articles/2011/09/21/2011-24180/models-to-adv ance-voluntary-corporate-notification-to-consumers-regarding-the-illicit-us e-of#p-3 <http://www.federalregister.gov/articles/2011/09/21/2011-24180/models-to-ad vance-voluntary-corporate-notification-to-consumers-regarding-the-illicit-u se-of#p-3> " IMHO this would go a long way to addressing the underlying root cause (botted machines). Regards, Zachary On 12/14/10 5:34 PM, "Joel Jaeggli" <joelja@bogus.com> wrote:
On 12/8/10 6:30 AM, Drew Weaver wrote:
Yes, but this obviously completes the 'DDoS attack' and sends the signal that the bully will win.
it's part of a valid mitigation strategy. shifting the target out from underneath the blackholed address is also part of the activity. that's easier in some cases than others. the bots will move and you play whack a rat with your upstreams.
joel
-Drew
From: alvaro.sanchez@adinet.com.uy [mailto:alvaro.sanchez@adinet.com.uy] Sent: Wednesday, December 08, 2010 8:46 AM To: rdobbins@arbor.net; North American Operators' Group Subject: Re: Over a decade of DDOS--any progress yet?
A very common action is to blackhole ddos traffic upstream by sending a bgp route to the next AS with a preestablished community indicating the traffic must be sent to Null0. The route may be very specific, in order to impact as less as possible. This needs previous coordination between providers. Regards.