Monitoring dark address space?
Andrew - Supernews
andrew at supernews.net
Sat Apr 17 09:42:49 UTC 2004
>>>>> "Paul" == Paul Vixie <vixie at vix.com> writes:
Paul> since this space has no dns records pointing into it, the only
Paul> traffic it will see is from errors/typo's, and network
Paul> scanners.
And blowback from other people forging your addresses as sources.
(We've had quite a few goober-with-firewall reports of that type -
especially from a certain manufacturer of networking equipment who
shall remain nameless, even though they ought to know better.)
>> 3) What sort of threshold metrics for considering something to be
>> malicious have you found to be good? (ports/second, ip/second, etc)
Paul> the false positives are less than one in ten million.
Paul> "blackhole 'em all."
If you're actually going so far as to accept the connections, yes. If
you're just counting packets, then a little more caution is possibly
indicated.
Paul> it's a l-l-lotta d-d-data, m-m-man. otoh, between this and
Paul> postprocessing my maillogs looking for wormspoor, i have a
Paul> personal blackhole list with almost a million hosts on it now,
Paul> and about 20% of the ones who probe my smtpk (which always
Paul> accepts all mail you send it) later try to spam my main mail
Paul> server (which is in a different netblock).
Oooooh. _Very_ interesting.
--
Andrew, Supernews
More information about the NANOG
mailing list