>Why do you think this might be? Fear of (extralegal) retaliation by >botnet owners? or fear of getting sued by listed network owners? [TLB:] No more than any anti-spam RBL or >is >the idea (shunning packets from ISPs that host botnets) fundamentally >unsound? > [TLB:] That's an ongoing raging debate. Some say, since enumerating badness cant' protect you against all threats, that you shouldn't' do it at all. My take is, if you can filter the worst actors early and fast, based on IP address, that gives you deeper packet devices more capacity, and saves you network bandwidth. It's been my experience that IP level blocking is a best practice as the second step (the first being selective availability of any service to only those it NEEDS to be, which in the case of many network operators is everywhere and everyone, and therefore a useless filter for a network operator) in a layered defense.
>If someone sufficiently trustworthy produced a BGP feed of networks that >were unresponsive to abuse complaints, do you think other networks would >use >it to block traffic? I mean, ultimately I think that having several >providers of such feeds with differing levels of aggression would be the >best >case, but someone has got to go first. > > [TLB:] <shameless plug> That's what ThreatSTOP is for. We use DNS, not BGP, because there are far more traffic management devices (think Subscriber firewalls) that can use it, and because AT&T has a patent on using BGP for block lists. </shameless plug>