North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: Monitoring dark address space?
- From: Hank Nussbacher
- Date: Sat Apr 17 14:35:12 2004
At 09:06 AM 16-04-04 -0500, David A.Ulevitch wrote:
NANOG,
I was wondering how many of you are running some sort of detection tool on
"dark address" space on your network? In an effort to curb malicious
outbound non-spoofed traffic from "owned" client machines I think one of
the easiest methods we have is to look for scans in what should be dead
space. The source-address spoofed traffic is easy to drop, the "legal"
traffic is a bit more complex and I'm looking for non-inline methods of
curbing this traffic.
My questions are:
1) Are you doing this and if so, what tools are you using? Some sort of
simple listening device with thresholds would probably do the trick if one
machine monitored an entire /24 or some random /32's out of a /16.
We run one on a /16. You can find details here:
http://noc.ilan.net.il/research/riverhead/
We also know of the SWITCH dark address monitor at:
http://www.switch.ch/security/services/IBN/
I'd be interested in knowing of any others.
The stats haven't been updated in a while but that will change over the
next few months.
-Hank
2) What techniques seem to be better? Monitoring an entire /24 or picking
a distributed selection of IPs from a /16? (using a /24 or /25 is much
easier on the administrative end of things from where I sit...)
3) What sort of threshold metrics for considering something to be
malicious have you found to be good? (ports/second, ip/second, etc)
4) Are there downsides to this (aside from false positives, which would
hopefully be rare in truly dark address space).
Off-list replies are fine and I'll summarize after a few days.
thanks,
davidu
----------------------------------------------------
David A. Ulevitch - Founder, EveryDNS.Net
Washington University in St. Louis
http://david.ulevitch.com -- http://everydns.net
----------------------------------------------------
|