In 2008, the internet service provider (ISP) known as McColo was identified as a major hub for malicious cyber activity. Security researchers from multiple companies, including Jose Nazario of Arbor Networks, discovered that McColo was hosting the command-and-control servers for a significant number of large botnets. These botnets were collectively responsible for distributing a substantial portion of the world’s spam emails.

The coordinated response to this threat did not involve illegally hacking back into the malicious servers. Instead, it was a collaborative effort focused on disrupting the infrastructure that enabled the botnets to operate. This event serves as a factual case study in what has been termed ‘acting in self-defense’ through coordinated, legal means.

Evidence and Coordination

Security researchers diligently gathered and compiled extensive evidence proving McColo’s role in hosting malicious infrastructure. This data demonstrated a direct link between the ISP’s servers and a massive volume of harmful internet traffic, including spam from the ‘McColo botnet’ and others. The assembled evidence was then presented to McColo’s upstream internet providers, the companies that provided McColo with its connection to the wider internet. These providers were Global Crossing and Hurricane Electric.

The Takedown and its Aftermath

Based on the compelling evidence provided by the security community, McColo’s upstream providers made the decision to act. In November 2008, they de-peered McColo, effectively severing its connection to the global internet. The impact was immediate and measurable. Following the disconnection, global spam volume dropped dramatically. Some security analysts reported a reduction of spam traffic by as much as two-thirds in the immediate aftermath of the takedown. This action demonstrated how cutting off a central point of control for botnets could have a significant and instantaneous effect on their operations.