If we can't power down the machine, due to evidence loss.�We
can't�nullroute the IP, as stated, some malware will delete
itself or alter itself when�Net Access is lost.
Now we can filter a single port, in the case of spam, phishing, etc?
You can do whatever you need to, of course. The right thing to do is
not always immediately apparent. Some time looking at the traffic on
a mirror port (etc) can provide useful clues about how to proceed to
an experienced professional.
Unfortunately, my experience suggests that handling incidents on the
"datacenter" side is a somewhat different skill set than handling the
sorts of incidents that are commonly found on consumer Internet
connections. The relative value of an infected machine approaches
zero, while the value of a controlling system is fairly high, which
implies that more effort may have been put into active defenses, which
in turn implies other things. The "Geek Squad" or other "Nerds On
Wheels" services are probably not going to be able to effectively
clean off an impacted server, much less determine useful and clever
ways to analyze what is going on, which is where it pays to have someone
with contacts into the security community.
Alas, I believe that all of this basic stuff should be immediately
obvious and familiar to those in the hosting community, which leads me
to other questions that are more along the lines of what others have
been asking in this thread, and probably not relevant to NANOG.
In the event that you are what you claim to be, rather than what many
believe you to be based on past history and appearances, you would be
well advised to make some contacts within the security community, and
be prepared to acquire some expensive advice the next time you have
an incident. You would need more help than you're going to be able to
get on NANOG.
And if you're what many people seem to think, well, tough.