nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISP Operators AISURU/Kimwolf botnet

From: Barry Greene via NANOG <nanog () lists nanog org>
Date: Sun, 18 Jan 2026 20:00:48 +1300
I’m glad this thread is getting back to exploring options and solutions ….

One recommendation every ISP needs to consider is subscribing to the Shadowserver Foundation’s daily reports. That 
reporting gives you data on your customer infection rate from the wide range of sources fed into Shadowserver. When you 
ask to subscribe, ask for multiple reprints - where you get the ASN report, then a IP report on your core network 
infrastructure, and a separate IP report on your customer IP blocks. That makes it easier to work with the risk profile 
from your infected customers. 

Finally, once of the ways you can feed in data into Shadowserver is through their DDoS Reputation API. Organizations 
who are attacked, can use the API to query the source IPs of the attack and find out details Shadowserver has on the 
IPs. That DDoS instance is then added to the telemetry. That is then delivered to the ISPs who subscribe to 
Shadowserver to let them know their infected customers are being used for attacks. 

So If you have an Anti-DDoS provider, ask them if they are using the Shadowserver DDoS Reputation API. That helps the 
“small ISPs” get details on which infected customers are being used by the miscreants. 






_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/YLS4AWAYYOUYJ2WWXLKPRYC55QRZ22CF/
Previous By Date Next
Previous By Thread Next

Current thread: