[69637] in North American Network Operators' Group
Re: Monitoring dark address space?
daemon@ATHENA.MIT.EDU (Andrew - Supernews)
Sat Apr 17 05:43:40 2004
To: nanog@merit.edu
In-Reply-To: <g3oepri6yt.fsf@sa.vix.com> (Paul Vixie's message of "17 Apr
2004 04:06:18 +0000")
Date: Sat, 17 Apr 2004 10:42:49 +0100
From: "Andrew - Supernews" <andrew@supernews.net>
Errors-To: owner-nanog-outgoing@merit.edu
>>>>> "Paul" == Paul Vixie <vixie@vix.com> writes:
Paul> since this space has no dns records pointing into it, the only
Paul> traffic it will see is from errors/typo's, and network
Paul> scanners.
And blowback from other people forging your addresses as sources.
(We've had quite a few goober-with-firewall reports of that type -
especially from a certain manufacturer of networking equipment who
shall remain nameless, even though they ought to know better.)
>> 3) What sort of threshold metrics for considering something to be
>> malicious have you found to be good? (ports/second, ip/second, etc)
Paul> the false positives are less than one in ten million.
Paul> "blackhole 'em all."
If you're actually going so far as to accept the connections, yes. If
you're just counting packets, then a little more caution is possibly
indicated.
Paul> it's a l-l-lotta d-d-data, m-m-man. otoh, between this and
Paul> postprocessing my maillogs looking for wormspoor, i have a
Paul> personal blackhole list with almost a million hosts on it now,
Paul> and about 20% of the ones who probe my smtpk (which always
Paul> accepts all mail you send it) later try to spam my main mail
Paul> server (which is in a different netblock).
Oooooh. _Very_ interesting.
--
Andrew, Supernews
