Hello Joe,
If we can't power down the machine, due to evidence loss. We can't nullroute the IP, as stated, some malware will delete itself or alter itself when Net Access is lost. Now we can filter a single port, in the case of spam, phishing, etc?
You can do whatever you need to, of course. The right thing to do is not always immediately apparent. Some time looking at the traffic on a mirror port (etc) can provide useful clues about how to proceed to an experienced professional. Unfortunately, my experience suggests that handling incidents on the "datacenter" side is a somewhat different skill set than handling the sorts of incidents that are commonly found on consumer Internet connections. The relative value of an infected machine approaches zero, while the value of a controlling system is fairly high, which implies that more effort may have been put into active defenses, which in turn implies other things. The "Geek Squad" or other "Nerds On Wheels" services are probably not going to be able to effectively clean off an impacted server, much less determine useful and clever ways to analyze what is going on, which is where it pays to have someone with contacts into the security community. Alas, I believe that all of this basic stuff should be immediately obvious and familiar to those in the hosting community, which leads me to other questions that are more along the lines of what others have been asking in this thread, and probably not relevant to NANOG. In the event that you are what you claim to be, rather than what many believe you to be based on past history and appearances, you would be well advised to make some contacts within the security community, and be prepared to acquire some expensive advice the next time you have an incident. You would need more help than you're going to be able to get on NANOG. And if you're what many people seem to think, well, tough. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.