Many regard black-hole monitoring as just another way to detect attacks against their systems (and perhaps an expensive way, given the scarcity of public IP space resources). But the real value of this technique is that it makes it possible to not only identify known attacks (something that can be done just as well in many other locations, without wasting IP space), but also detect and analyze subtle patterns that would otherwise be lost below the “noise level” in an extensively used network.

Naturally, performing this type of black-hole monitoring is not easy and remains expensive. It takes time to learn how to find that needle in the haystack of the usual worm and black hat activity that, in a sufficiently extensive network, ...