Network abuse monitoring ({\em eg.,\/} for intrusions and denial of service
attacks) is an important component in security architecture.  Monitoring
{\em unused} IP addresses offers opportunities to significantly improve
perspective on abuse activity without many of the problems associated with
typical network intrusion detection and firewall systems.  In this paper,
we describe and evaluate a scalable architecture for an IP traffic monitoring
system called an Internet Sink (iSink).  The objective of this system is
to provide measurement data on abuse activity on unused or ``dark'' IP
addresses in an efficient and scalable fashion.  A distinguishing feature
of an iSink in contrast to traditional intrusion detection systems or
firewalls, is that it can be used as an {\em active} measurement system by
generating response  packets to incoming traffic.  This gives the iSink an
important advantage in  discriminating between different types of attacks
(through examination of  the response payloads).  iSink's design is
distinct from other dark address space monitors in that it is stateless and
thus highly scalable.  We report performance results of our iSink
implementation in both controlled laboratory experiments and from a case
study of a live deployment.  Our results demonstrate the efficiency and
scalability of our implementation as well as the important perspective on
abuse activity that is afforded by its use.