Re: Monitoring dark address space?

["Andrew - Supernews" <andrew () supernews net>]

> > > > > "Paul" == Paul Vixie <vixie () vix com> writes:

 Paul> since this space has no dns records pointing into it, the only
 Paul> traffic it will see is from errors/typo's, and network
 Paul> scanners.

And blowback from other people forging your addresses as sources.

(We've had quite a few goober-with-firewall reports of that type -
especially from a certain manufacturer of networking equipment who
shall remain nameless, even though they ought to know better.)

> > 3) What sort of threshold metrics for considering something to be 
> > malicious have you found to be good?  (ports/second, ip/second, etc)

 Paul> the false positives are less than one in ten million.
 Paul> "blackhole 'em all."

If you're actually going so far as to accept the connections, yes. If
you're just counting packets, then a little more caution is possibly
indicated.

 Paul> it's a l-l-lotta d-d-data, m-m-man.  otoh, between this and
 Paul> postprocessing my maillogs looking for wormspoor, i have a
 Paul> personal blackhole list with almost a million hosts on it now,
 Paul> and about 20% of the ones who probe my smtpk (which always
 Paul> accepts all mail you send it) later try to spam my main mail
 Paul> server (which is in a different netblock).

Oooooh. _Very_ interesting.

-- 
Andrew, Supernews