Actually, since this attack wasn't volumetric and was instead attacking GitHub's (TCP-based) applications, they have the rare ability to identify the attacker's drones and possibly hand the list off to someone that can get them shut down. Hopefully GitHub does the right thing here.
Most popular sites have huge lists of compromised machines. You can't really do anything with them though. If you block compromised machines, you'll blow up your support team by people complaining they can't reach your site.
It's not in my interest to "Citizen's Arrest" someone with a pwnt node.
I answered a general question with a general answer, and you understand the point I made as evidenced by your usage of the word "rare," so I struggle to understand your usage of the word "actually" to express disagreement.
Is this really that uncommon? I thought botnets took advantage of compromised machines to perform TCP connections. Otherwise attacking a website would be "trivially" prevented by larger connections.
