Methodology, cont.

Active response
Complete TCP handshake for 1/N TCP SYNs
Sample to prevent reflection attacks
Play nice (e.g. http://mason.gmu.edu/~sxing/research/is.html/)
Reassemble TCP connection data, identify and log each hit
Send alert on new, previously unseen payload
Manual classification of payloads to worms
Save all other packets to disk
Internet-wide scans (SSH, DNS, RPC services, FTP, etc.)
Decoy scan + DDoS backscatter (SYN/ACK, RST, ICMP)