Ok, so this mailing list is a list of network operators. Swell. Every network operator who can do so, please raise your hand if you have *recently* scanned you own network and if you can -honestly- attest that you have taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified weeks or months ago as being fundamentally insecure can emit a single packet out onto the public Internet.
Most of the time, scanning of your customers isn't strictly necessary, though it certainly won't hurt.
That's because attackers will scan your network /for /you, compromise the hosts, and use them to attack. When they inevitably attack one of my customers, I'll send you an abuse email. Some other networks do the same. So if you want to help, the real keys are to make sure that you disallow spoofing, that the RIR has up-to-date contact information for your organization, and that you handle abuse notifications effectively.
Large IoT botnets have been used extensively this year, launching frequent 100+ Gbps attacks (they were also used in prior years, but it wasn't to the degree that we've seen since January 2016). I've recorded about 2.4 million IP addresses involved in the last two months (a number that is higher than the number of actual devices, since most seem to have dynamic IP addresses). The ISPs behind those IP addresses have received notifications via email, so if you haven't heard anything, you're probably in good shape, assuming the RIR has the right abuse address on file for you.
The bulk of the compromised devices are non-NA. In a relatively small 40 Gbps IoT attack a couple of days ago, we saw about 20k devices, for instance, and most were from a mix of China, Brazil, Russia, Korea, and Venezuela.
-John
