Botnet Mitigation and Remediation Special Interest Group


The mission of this SIG is to bring together FIRST members and non-member subject matter experts to share experiences about botnet mitigation and remediation and to identify different approaches and best practices that can be implemented to address this problem.


There are several initiatives around the world to detect and mitigate botnet and malware infections, including organizations that provide data feeds and CSIRTs that are helping to set up national cleaning centers. But there has been no study yet about how effective this initiatives are, the reasons why they were adopted or what made them succeed or fail. The group expects to work on the topics presented below for at least 2 years.

This SIG will work to

  • bring together FIRST members and non-members subject matter experts to share experiences about the current best practices on botnet remediation (including industry codes, national efforts and recommended best practices like the RFC 6561);
  • identify key success factors in botnet mitigation and remediation;
  • identify issues to take into consideration when implementing such best practices;
  • identify challenges for implementation, cases in which best practices haven't worked or could not be implemented, and the reasons for these problems;
  • identify what to measure, and why, as well as means for measuring the effectiveness of botnet mitigation initiatives.

Expected deliverables

  • produce documentation to share best practices and case studies (both success and failure cases).
  • reach out to networks and countries that are still not acting on the problem and get them involved into the implementation of the identified best practices.
  • identify how to create metrics and measurements about botnet remediation, with the end goal to have comparable measurements among different networks/countries.


It is NOT the focus of this SIG:

  • to work on botnet takedown or detection techniques;
  • to set up data feeds or standards for information exchange or notification;
  • to develop tools;
  • to focus on the mitigation of the attacks performed by botnets.

To be a member of the SIG one should meet one of these criterias

  • be working on or planning to work on botnet mitigation/remediation activities in his/her respective contituency
  • be a subject matter expert

SIG members are expected to actively contribute to the process of gathering the information necessary and creating the case studies and the best practices documentation that are the SIG expected deliverables.


Cristine Hoepers,


Yurie Ito, JPCERT/CC