-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We (Trend Micro) do something similar to this -- a black-hole BGP
feed of known botnet C&Cs, such that the C&C channel is effectively
black-holed.What's the trigger (pardon the pun, heh) and process for removing IPs
from the blackhole list post-cleanup, in Trend's case?
We have a team that does the vetting/validation and when the C&Cs
are taken down (or "decommissioned") they are removed from the
feed.
Is there a notification mechanism so that folks who may not subscribe
to Trend's service but who are unwittingly hosting a botnet C&C are
made aware of same?
Well, we try to notify the owners of the identified hosts, but it
is not always successful... and sometimes the sheer churn is
prohibitive.
- - ferg