RE: Blackholes and IXs and Completing the Attack.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- "Ben Butler" <ben.butler@c2internet.net> wrote:
The effect of this would be that any BotNet controlled hosts in the other member network would now be able to drop any attack traffic in their network on destination at their customer aggregation routers.
I think you might have thought I was suggesting we blackhole sources in other peoples networks - this is definatly not what I was saying.
So, given we all now understand each other - why is no one doing the above?
We (Trend Micro) do something similar to this -- a black-hole BGP feed of known botnet C&Cs, such that the C&C channel is effectively black-holed. At least that way, people can deal with cleaning up the end-systems in their own way, at their own pace, while the amount of malicious activity is effectively "crippled". - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFHpOWyq1pz9mNUZTMRAhtLAJwLNH9Ie+mE0106NlY6Qdy43uag1gCgv7wq le4yfSlaa2kUHtchC2X+bbQ= =4P1g -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
On Feb 3, 2008, at 4:50 AM, Paul Ferguson wrote:
We (Trend Micro) do something similar to this -- a black-hole BGP feed of known botnet C&Cs, such that the C&C channel is effectively black-holed.
What's the trigger (pardon the pun, heh) and process for removing IPs from the blackhole list post-cleanup, in Trend's case? Is there a notification mechanism so that folks who may not subscribe to Trend's service but who are unwittingly hosting a botnet C&C are made aware of same? ----------------------------------------------------------------------- Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company
participants (2)
-
Paul Ferguson
-
Roland Dobbins