Blackholes and IXs and Completing the Attack.

Hash: SHA1

We (Trend Micro) do something similar to this -- a black-hole BGP
feed of known botnet C&Cs, such that the C&C channel is effectively

What's the trigger (pardon the pun, heh) and process for removing IPs

from the blackhole list post-cleanup, in Trend's case?

We have a team that does the vetting/validation and when the C&Cs
are taken down (or "decommissioned") they are removed from the

Is there a notification mechanism so that folks who may not subscribe

to Trend's service but who are unwittingly hosting a botnet C&C are
made aware of same?

Well, we try to notify the owners of the identified hosts, but it
is not always successful... and sometimes the sheer churn is

- - ferg