North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Monitoring dark address space?
>>>>> "Paul" == Paul Vixie <[email protected]> writes: Paul> since this space has no dns records pointing into it, the only Paul> traffic it will see is from errors/typo's, and network Paul> scanners. And blowback from other people forging your addresses as sources. (We've had quite a few goober-with-firewall reports of that type - especially from a certain manufacturer of networking equipment who shall remain nameless, even though they ought to know better.) >> 3) What sort of threshold metrics for considering something to be >> malicious have you found to be good? (ports/second, ip/second, etc) Paul> the false positives are less than one in ten million. Paul> "blackhole 'em all." If you're actually going so far as to accept the connections, yes. If you're just counting packets, then a little more caution is possibly indicated. Paul> it's a l-l-lotta d-d-data, m-m-man. otoh, between this and Paul> postprocessing my maillogs looking for wormspoor, i have a Paul> personal blackhole list with almost a million hosts on it now, Paul> and about 20% of the ones who probe my smtpk (which always Paul> accepts all mail you send it) later try to spam my main mail Paul> server (which is in a different netblock). Oooooh. _Very_ interesting. -- Andrew, Supernews
|