NANOG, I was wondering how many of you are running some sort of detection tool on "dark address" space on your network? In an effort to curb malicious outbound non-spoofed traffic from "owned" client machines I think one of the easiest methods we have is to look for scans in what should be dead space. The source-address spoofed traffic is easy to drop, the "legal" traffic is a bit more complex and I'm looking for non-inline methods of curbing this traffic. My questions are: 1) Are you doing this and if so, what tools are you using? Some sort of simple listening device with thresholds would probably do the trick if one machine monitored an entire /24 or some random /32's out of a /16. 2) What techniques seem to be better? Monitoring an entire /24 or picking a distributed selection of IPs from a /16? (using a /24 or /25 is much easier on the administrative end of things from where I sit...) 3) What sort of threshold metrics for considering something to be malicious have you found to be good? (ports/second, ip/second, etc) 4) Are there downsides to this (aside from false positives, which would hopefully be rare in truly dark address space). Off-list replies are fine and I'll summarize after a few days. thanks, davidu ---------------------------------------------------- David A. Ulevitch - Founder, EveryDNS.Net Washington University in St. Louis http://david.ulevitch.com -- http://everydns.net ----------------------------------------------------