Since the advent of distributed intruder tools in the late 1990s, defenders have striven to identify and take down as much of the attack network as possible, as fast as possible.This has never been an easy task, owing in large part to thewide distribution of attacking agents and command and control (C2) servers, often spread across thousands of individual networks, or Autonomous Systems in routing terms, around the globe.Differentials in the abilities and capabilities of these sites, aswell as knowledge of what role the site pla ys in distributed attack networks (potentiallymany active at one time),makemitigation harder, as do differences in legal regimes, etc. [1]. Still, there has grown a huge population of researchers, security vendors, and organizations focused on identifying andmitigating distributed attack networks. ys in distributed attack networks (potentiallymany active at one time),makemitigation harder, as do differences in legal regimes, etc. [1]. Still, there has grown a huge population of researchers, security vendors, and organizations focused on identifying andmitigating distributed attack networks.