Monitoring dark address space?

David A.Ulevitch davidu at everydns.net
Fri Apr 16 14:06:28 UTC 2004


NANOG,

I was wondering how many of you are running some sort of detection tool 
on "dark address" space on your network?  In an effort to curb 
malicious outbound non-spoofed traffic from "owned" client machines I 
think one of the easiest methods we have is to look for scans in what 
should be dead space.  The source-address spoofed traffic is easy to 
drop, the "legal" traffic is a bit more complex and I'm looking for 
non-inline methods of curbing this traffic.

My questions are:

1) Are you doing this and if so, what tools are you using?  Some sort 
of simple listening device with thresholds would probably do the trick 
if one machine monitored an entire /24 or some random /32's out of a 
/16.

2) What techniques seem to be better? Monitoring an entire /24 or 
picking a distributed selection of IPs from a /16? (using a /24 or /25 
is much easier on the administrative end of things from where I sit...)

3) What sort of threshold metrics for considering something to be 
malicious have you found to be good?  (ports/second, ip/second, etc)

4) Are there downsides to this (aside from false positives, which would 
hopefully be rare in truly dark address space).

Off-list replies are fine and I'll summarize after a few days.

thanks,
davidu

----------------------------------------------------
   David A. Ulevitch - Founder, EveryDNS.Net
   Washington University in St. Louis
   http://david.ulevitch.com -- http://everydns.net
----------------------------------------------------




More information about the NANOG mailing list