[69640] in North American Network Operators' Group
Re: Monitoring dark address space?
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Sat Apr 17 14:32:33 2004
Date: Sat, 17 Apr 2004 21:30:58 +0200
To: "David A.Ulevitch" <davidu@everydns.net>, nanog@merit.edu
From: Hank Nussbacher <hank@mail.iucc.ac.il>
In-Reply-To: <4165C867-8FAF-11D8-8D42-000393DC735E@everydns.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 09:06 AM 16-04-04 -0500, David A.Ulevitch wrote:
>NANOG,
>
>I was wondering how many of you are running some sort of detection tool on
>"dark address" space on your network? In an effort to curb malicious
>outbound non-spoofed traffic from "owned" client machines I think one of
>the easiest methods we have is to look for scans in what should be dead
>space. The source-address spoofed traffic is easy to drop, the "legal"
>traffic is a bit more complex and I'm looking for non-inline methods of
>curbing this traffic.
>
>My questions are:
>
>1) Are you doing this and if so, what tools are you using? Some sort of
>simple listening device with thresholds would probably do the trick if one
>machine monitored an entire /24 or some random /32's out of a /16.
We run one on a /16. You can find details here:
http://noc.ilan.net.il/research/riverhead/
We also know of the SWITCH dark address monitor at:
http://www.switch.ch/security/services/IBN/
I'd be interested in knowing of any others.
The stats haven't been updated in a while but that will change over the
next few months.
-Hank
>2) What techniques seem to be better? Monitoring an entire /24 or picking
>a distributed selection of IPs from a /16? (using a /24 or /25 is much
>easier on the administrative end of things from where I sit...)
>
>3) What sort of threshold metrics for considering something to be
>malicious have you found to be good? (ports/second, ip/second, etc)
>
>4) Are there downsides to this (aside from false positives, which would
>hopefully be rare in truly dark address space).
>
>Off-list replies are fine and I'll summarize after a few days.
>
>thanks,
>davidu
>
>----------------------------------------------------
> David A. Ulevitch - Founder, EveryDNS.Net
> Washington University in St. Louis
> http://david.ulevitch.com -- http://everydns.net
>----------------------------------------------------
