"Paul" == Paul Vixie <vixie@vix.com> writes:
Paul> since this space has no dns records pointing into it, the only Paul> traffic it will see is from errors/typo's, and network Paul> scanners. And blowback from other people forging your addresses as sources. (We've had quite a few goober-with-firewall reports of that type - especially from a certain manufacturer of networking equipment who shall remain nameless, even though they ought to know better.)
3) What sort of threshold metrics for considering something to be malicious have you found to be good? (ports/second, ip/second, etc)
Paul> the false positives are less than one in ten million. Paul> "blackhole 'em all." If you're actually going so far as to accept the connections, yes. If you're just counting packets, then a little more caution is possibly indicated. Paul> it's a l-l-lotta d-d-data, m-m-man. otoh, between this and Paul> postprocessing my maillogs looking for wormspoor, i have a Paul> personal blackhole list with almost a million hosts on it now, Paul> and about 20% of the ones who probe my smtpk (which always Paul> accepts all mail you send it) later try to spam my main mail Paul> server (which is in a different netblock). Oooooh. _Very_ interesting. -- Andrew, Supernews