[69624] in North American Network Operators' Group
Monitoring dark address space?
daemon@ATHENA.MIT.EDU (David A.Ulevitch)
Fri Apr 16 10:07:11 2004
To: nanog@merit.edu
From: David A.Ulevitch <davidu@everydns.net>
Date: Fri, 16 Apr 2004 09:06:28 -0500
Errors-To: owner-nanog-outgoing@merit.edu
NANOG,
I was wondering how many of you are running some sort of detection tool
on "dark address" space on your network? In an effort to curb
malicious outbound non-spoofed traffic from "owned" client machines I
think one of the easiest methods we have is to look for scans in what
should be dead space. The source-address spoofed traffic is easy to
drop, the "legal" traffic is a bit more complex and I'm looking for
non-inline methods of curbing this traffic.
My questions are:
1) Are you doing this and if so, what tools are you using? Some sort
of simple listening device with thresholds would probably do the trick
if one machine monitored an entire /24 or some random /32's out of a
/16.
2) What techniques seem to be better? Monitoring an entire /24 or
picking a distributed selection of IPs from a /16? (using a /24 or /25
is much easier on the administrative end of things from where I sit...)
3) What sort of threshold metrics for considering something to be
malicious have you found to be good? (ports/second, ip/second, etc)
4) Are there downsides to this (aside from false positives, which would
hopefully be rare in truly dark address space).
Off-list replies are fine and I'll summarize after a few days.
thanks,
davidu
----------------------------------------------------
David A. Ulevitch - Founder, EveryDNS.Net
Washington University in St. Louis
http://david.ulevitch.com -- http://everydns.net
----------------------------------------------------
