Build A Darknet To Capture Naughty Traffic

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

Luke

[ralf1]

Embrace the power of the darknet.

Re:Luke

[SIGALRM]

Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes.

Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

Re:Luke

[wo1verin3]

a collection of networks and other technologies that enable people to share files with little or no fear of detection?

Naw... thats called the Internet.

(I didn't say they shouldn't be afraid, but don't seme to be)

Re:Luke

[SIGALRM]

Naw... thats called the Internet.

The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002

Thanks, though.

Re:Luke

[wo1verin3]

+1 over your head

Re:Luke

[MillionthMonkey]

Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

Yes, that's a usage I've seen too, for example in this article in Slate.

Re:Luke

[anakin357]

Somehow all this Darknet business reminds me of

Re:Luke

[gweihir]

The term "Darknet" was used by Peter Biddle, Paul England, Marcus Peinado and Bryan Willman in their Paper The darknet and the future of content distribution presented in the DRM workshop at a the Computer and Communication security Conference 2002. I know because I was there. The term "Darknet" in this paper refers to an overlay network that outsiders cannot look into such as P2P filesharing networks.

The main claim of the paper was IMO that P2P filesharing cannot be stopped.

The paper can be gotten from numerous sources and in different formats. Just google("The darknet and the future of content distribution")

Build a DorkNet

[mcgroarty]

CmdrTaco has built a DorkNet to capture naughty traffic.

The comments that follow are time-stamped proof of what you were all doing during working hours...

Re:Build a DorkNet

[pboulang]

Wait, was that dorknet comment referring to Slashdot? The very website we are reading right now? Hey, that's pretty ironic! What are the odds... He could have posted anywhere today and yet posted here. Crazy crazy world, huh?

</sarcasm>

Relax. Check out the high userID# and assume the poster is 15.

Re:Build a DorkNet

[Trigulus]

Yet another example of UserID Profiling. Low userID doesnt automaticaly get my respect. The typical low userID attitude is "I got here first so its mine! all mine! hahahahahah mine! Get the hell out of my slashdot you high userID scum" or something to that effect. But I still see tons of low usersIDs spewing crap/FUD.

and look at that im a "high" userID LOL

Re:Build a DorkNet

[nes11]

yeah, guess it doesn't really matter that the UserID of the original joke is even higher huh?

Re:Build a DorkNet

Or check out the low user ID of you and assume you are 15 (because we all know people like you are those "first post" freaks?)

Re:Build a DorkNet

[pboulang]

and look at that im a "high" userID LOL

Not helping your cause. . . I suggest that when using a sentence with the word "respect" in it in the future you spellcheck it. Let's loot at the fact that you complain about profiling high UserIDs, then proceed to attack low UserIDs with a blanket statement. Some would call this profiling. I know you would cause you have a particular problem with that, and according to you, I do, too. Tie that in with your last sentence and I see an immature knee-jerk reaction. I'm not saying you aren't intelligent, simply not mature.

In regards to my original post, yeah, ok, it was a little off-putting. However, isn't it a typical situation for a smart 15 year old to accidentally explain a joke in an attempt to fit in, yet in the end standing out like a sore thumb? Would you not agree that it is more likely for a 15 year old to have a higher UserID than a low one... or did he join slashdot as a tweenager?

Re:Build a DorkNet

[zoloto]

/devils_advocate

why not.
the majority of icq users (at it's peak and wane) were all 8 or 9 + numbers. that's frigging lame to say "hey that's profiling" when for the majority of it is correct (like 95%)

so when the other 5% cry bloody murder b/c it sucks, then effectiveness goes down.

now with respect to that, I don't pay attention to UID at all with the exception to when people make comments like yours:

Yet another example of UserID Profiling. Low userID doesnt automaticaly get my respect. The typical low userID attitude is "I got here first so its mine! all mine! hahahahahah mine! Get the hell out of my slashdot you high userID scum" or something to that effect. But I still see tons of low usersIDs spewing crap/FUD.

and look at that im a "high" userID LOL

You sound offended and even threatendedb because of his comment, yet in that defensive remark you admit to either being insecure or flagrent need to lash out based on the fact that you are the majority of "new" users. Don't worry, I'm not excluding myself. Hell, I can't even remember what my UID is unless I look at it and say, well i know there's a 6 and a 7 in there somewhere.

Damn bro. mature a little before you spew shit no one cares about. You might be modded down for it.

Re:Build a DorkNet

[irc.goatse.cx+troll]

"why not.
the majority of icq users (at it's peak and wane) were all 8 or 9 + numbers. that's frigging lame to say "hey that's profiling" when for the majority of it is correct (like 95%)"

The same could be said for any other profiling. If 95% of the people stealing from your store are black or mexican, whats wrong with having security follow them around?

Re:Build a DorkNet

[Trigulus]

What are you a fucking vulcan? Can you not sense sarcasm/humor?

I pitty you.

Re:Build a DorkNet

[Trigulus]

OMFG! I might get modded down! Fucking vulcan.

Re:Build a DorkNet

[zoloto]

nothing

Re:Build a DorkNet

[martingunnarsson]

That's evil! EVIL! Damn him!

Re:Build a DorkNet

It's spelled "pity", wankstain.

Re:Build a DorkNet

[Trigulus]

No I spelled it pitty. I like it better that way.

Already been done...

[TWX]

I thought that California had the market cornered on this during the energy crisis...

Re:Already been done...

They should have patented their method.
Then they could have sued Ontario for infringement.

Re:Already been done...

[wo1verin3]

hey leave us alone, the fault was traced back to Ohio. You may have to subpeona Ontario as a witness, but Ohio is the one you should be suing.

I'm getting tired of being accused of having derivative code for every blackout we spawn however. We have not used any of SCOs code in development of our own blackouts.

Re:Already been done...

[Raven42rac]

Ahh, but then the machine causing the naughty traffic would have to crash the hardest a machine has ever crashed in the history of computers.

Re:Already been done...

[tokachu(k)]

Yes, Mr. Honeypot called, and he wants his product back.

screw the Darknet

Just as Luke Skywalker defeated Vader and the Darkside, the Lightnet led by the valiant hero Mr. Anonymous Coward PhD will vanquish the villianous foe known as Darknet.

Re:screw the Darknet

[REBloomfield]

Luke did not 'defeat' Vader and the darkside. He threw down his lightsaber and it was Vader who rose up and brought an end to the Sith - but not the darkside of the force. Han's daughter briefly dabbled, and Mara Jade could be considered 'dark'.

Re:screw the Darknet

[Impy+the+Impiuos+Imp]

> Luke did not 'defeat' Vader and the darkside.
> He threw down his lightsaber and it was Vader
> who rose up and brought an end to the Sith

By restoring his father to the lightside, he thus defeated the Dark Lord by indirect action. As Obi-wan might say, "So in a sense, what I told you was true."

> but not the darkside of the force.

Until the last 3 of 9 movies are made, all sequels this time, we will never know.

> Han's daughter briefly dabbled, and Mara Jade
> could be considered 'dark'.

Books don't count. Games don't count. Han doesn't have a daughter. The only cannon things are the movies and the live action parts of the Star Wars Christmas Special.

I read Splinter of the Mind's Eye before most of you were even br0n.

Re:screw the Darknet

[REBloomfield]

Erm, since when are there going to be episodes 7,8 & 9?

AFAIK, the books and graphic novels are cannon, but they are less cannon than the books. The forums at StarWars.com would have a heart attack arguing this one.

But I do agree with your Obi-Wan comment :)

Re:screw the Darknet

[chris_mahan]

>The only cannon things are the movies and the live action parts of the Star Wars Christmas Special.

It's canon, like CANON the photography company.

from dictionary.com:

# A secular law, rule, or code of law.
1. An established principle: the canons of polite society.
2. A basis for judgment; a standard or criterion.

A cannon, on the other hand, is a device with which you shoot heavy projectile (like explosive shells)

And you call yourself a geek after THIS?

Re:screw the Darknet

[Impy+the+Impiuos+Imp]

They aren't, and that's sad. That was the original plan way back when though.

Darknets = P2P

darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.
http://www.wordspy.com/words/darknet.a sp

Re:Darknets = P2P

Sounds good to me. Whatever can be done to bring one step closer to net anonymity is a good thing. It will make it harder for greedy corps and governments to cover up their lies. It may help to make impossible to censor speech. Even the Scientologists can't stop us now. Yay! Attn: Geogre W. Bush, burn the tapes(shred the papers) now before someone makes backups and shows what a liar you are. Whistleblowers unite!

Re:Darknets = P2P

[drinkypoo]

I've never heard this term and I've been using p2p as long as anybody. A few industry pundits using it doesn't make it a real live term. Frankly I think that both of these uses of the "word" are lame, but calling p2p the darknet is a lot more lame than using the term to refer to a network intended to have no legitimate traffic.

With all that said, honeynet would seem be a more sensible term for a network like this. It's even sticky, which means people will be getting caught in it more readily, which is precisely what you're going for.

Re:Darknets = P2P

[Lehk228]

actually a darknet would be a peer to peer group where the users know most if not all other members, such as a Dormitory floor setting up FTP servers and giving accounts to everyone on the floor (not that i have any involvement in that sort of activity)

You sound like my roommate, anything He hasn't heard of isn't legitimate or good enough, which is funny since he won't even accept as valid terms that are listed in the Jargon File)

Re:Darknets = P2P

[drinkypoo]

It's well known that I am a nitpicker, but if a darknet is supposed to apply to P2P, then FTP doesn't count because it's client-server :) The whole idea of such a term is absurd. We already have a name for peer to peer, it's P2P. A private P2P network is just that, private P2P. A private FTP is also simply a private FTP. Why make this harder than it has to be?

My not having heard of it doesn't make it "not good enough", there are plenty of more logical reasons for that. My not having heard of it is enough argument (to me) that it's nothing like a standard term, it's just something that one or two people have pulled out of their ass and it hasn't caught on for one reason or another. This would not apply if it were some field or subject I was unfamiliar with, but as I am not unfamiliar with P2P, but have never heard/read the term "darknet" I can only assume that it is a term in extremely limited use. Like, by wanker pundits who desperately want to be the ones to coin a new phrase.

Re:Darknets = P2P

[0x0d0a]

Like, by wanker pundits who desperately want to be the ones to coin a new phrase.

Nicely put, though it applies to half of the tech journalist types out there.

Re:Darknets = P2P

[Geek+of+Tech]

Let's read this little snippet of the article....

[snippet]

A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.

A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.

Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.

[/snippet]

Think this kind of scenario...

A computer gets some form of malware on it that scans random addresses in its attempt to find vulnerable hosts. I'm going to use the name Blaster for this fictional bug...

Now lets assume that the IP for your darknet box is aaa.bbb.ccc.ddd. If the bug randomly chooses your box (which isn't entirely unlikely) to scan, you will instantly know something is up. We're not talking "Oh no the evil **AA is after us!" (where ** is any two letters). We're talking more "Hmmm... Someone is trying to send data to an address that as far as anyone knows doesn't have any device on it." It's safe to consider a box compromised if they try to send data to an address that isn't used.

Re:Darknets = P2P

[analog_line]

"Honeypots" are usually called such because they're set up to look like an easy mark for a hacker. Fake services, wide open holes, etc, and all the while logging every blessed thing that happens on the machine.

"Darknets" at least as described here, are not set up to be juicy targets. Technically they shouldn't be targets in the least. They are to all appearances dead IP addresses, hence calling them "dark." This method doesn't catch the perpetrator in the act. Most of what it does is watch for IPs that are doing wide scans, like many of the recent self-replicating worms/virii. In other words, there's no honey for anyone to go after. It's more the equivalent of hiding a camera in the middle of a forest where no one ought to be and see who's walking around.

Re:Darknets = P2P

The name "darknet" for private file exchange networks makes sense when you look at them from the outside: You can't tell if something's there. These networks emit (almost) no information about their existence. Public P2P networks on the other hand are blindingly bright, as anyone with a logging system on a dynamic IP account will tell you.

Re:Darknets = P2P

[Atryn]

It's safe to consider a box compromised if they try to send data to an address that isn't used.

Technically I wouldn't agree with the above statement. Haven't you ever mistyped an IP address? That doesn't mean my box is "compromised", unless you mean by a faulty user. :)

Another scenario could involve someone spoofing a source IP and, by random chance, picks yours. The system that gets that spoofed stuff may try to verify it or contact back, but that doesn't mean they are compromised.

Still, an interesting tool. I think there are better uses for the amounts of IPv4 address out there though.

Re:Darknets = P2P

Wow, you read the article, thank you Captain Obvious!

Re:Darknets = P2P

Not quite. Situation: you are a network admin in charge of a /16 netblock. You have this wonderful tool called "Angry IP" which scans the network and reports all hosts/ip addresses which are alive. It scans EVERY SINGLE IP ADDRESS in your /16, so it would certainly hit a "darknet" you might have.

Re:Darknets = P2P

Its like catching a wardialer with a seemingly busy line which actually alerts the phone company that you've just called 358-9400 - 358-9499

So hows this work now?

[Kenja]

How do you track so called "naughty network traffic" when it goes to an IP with no services or servers? I guess you could do this with somthing along the lines of a "border" firewall (rather then a NAT system). But few of us have such a setup.

Re:So hows this work now?

[Richard_L_James]

How do you track so called "naughty network traffic" when it goes to an IP with no services or servers?

Easy by monitoring for traffic with the evil bit set which will either be originating from hell or going there :)

Re:So hows this work now?

[MikeJ9919]

No active services or servers. Key word: active. Passive monitoring would seem to be the rule.

Re:So hows this work now?

Well, first you RTFA!!!

Then you use your SPARE IP space as your darknet. Your SPARE IP space shouldn't have ANY traffic so ALL traffic going to that space is 'naught network traffic'

Re:So hows this work now?

[Flower]

My question is what do you do to naughty network traffic? Do you scold it, give it a time out or do you tie it up and make it your slave?

Re:So hows this work now?

[hearingaid]

ipf or ipfw, on a BSD system.

The equivalents in Linux would be ipchains and iptables, I do believe. (My firewall's FreeBSD, never touched any Linux firewall rules.)

These tools allow you to log raw packets. Handy.

Re:So hows this work now?

do you tie it up and make it your slave

Only if it's black or Iraqi ...

Re:So hows this work now?

[mwood]

Um, the network only *appears* to be vacant. No packets come out of it, at least none that anybody else can see. You could have the address space stuffed to capacity with machines ingesting the passing traffic; they just don't accept connections from anyone but you. Like 'iptables -A INPUT various switches -j DROP' -- the packet goes in but nothing ever comes back out.

Or imagine a room. Someone is standing behind the curtain, listening to everything that's said, saying nothing and never moving.

Use this for...

[chrispyman]

It would seem like a good idea to use the info collected by the Darknet to perhaps automatically blacklist those offending IP addresses or perhaps to automatically complain to the offending ISP.

Re:Use this for...

Good idea to automatically blacklist?

Yeah, a great idea - those forged packets won't surmount to DoS attacks at all!

Re:Use this for...

[Lehk228]

wouldn't need forged packets, set up a web page with
<img src="darknet.ip.address.here/file.jpg"> and blacklist everyone who shows up to your site.

Re:Use this for...

You're right, they don't amount to a DoS if you have a clue about how to wire up a net. Keep a little state, add a little clue, it works beautifully. Make sure you add an expiry mechanism, and a whitelisting mechanism. Instant network sanity for any sysadmin with a few hundred thousand hosts.

Re:Use this for...

[dohcvtec]

It would seem like a good idea to use the info collected by the Darknet to perhaps automatically blacklist those offending IP addresses or perhaps to automatically complain to the offending ISP.

If I understand things correctly, this is part of how spamcop works. They have "dark" email addresses - addresses which have never been used or published anywhere. If they receive any mail to these addresses, it's clear that the hosts sending these messages are spammers. Same principal, but at a higher level.

Re:Very cool!

[Canadian_Daemon]

What is the difference between darknet and a sniffer? I would RTFA, but /.ed already

Wait a minute....

[Crazy_MYKL]

Does this mean Darknets are for pr0n?

Re:Wait a minute....

[Newt-dog]

Does this mean Darknets are for pr0n?

No, Pinknets are for pr0n!! hehe ;-)

Nothing really new here...

[Autonin]

The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.

You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.

Re:Nothing really new here...

[scottv67]

I was going to mention the Netscreen IDP but you beat me to the punch. I had an IDP that protected 141.106.0.0/16. I had the Honeypot feature enabled so that if you scanned certain addresses, the IDP would blacklist your source address for 30 minutes. It worked *very* well for shunning lazy portscanning kiddies.

The IDP is a very impressive piece of technology. A very good complement to a Layer 3 firewall.

-Scott

Re:Nothing really new here...

[TCM]

What? Some kid sent "malicious" packets with the source address of your dns servers/some other vital host?

Automatic blacklisting, Mr DoS. Mr DoS, meet automatic blacklisting.

Really . . .

[OverlordQ]

These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.

That's like the mailman trying to deliver letters to Santa Claus, or somebody addressing a letter wrong, thank good I know all those letters are Abberant now.

Re:Really . . .

[techno-vampire]

Abberant doesn't have to mean malicious. It just means that they're someplace they don't belong. If you misaddress a letter, or misdial a phone number, the result is abberant because you end up somewhere you don't belong.

Re:Really . . .

[OverlordQ]

That's what I'm saying, how is this news? Isn't this common sense?

Re:Really . . .

[LostCluster]

The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

Snail mail just can't drop packets on the floor as easily...

Re:Really . . .

[drinkypoo]

Snail mail can easily have dropped packets - you (or your mail carrier) can miss the mailbox.

Not only that, but I'm betting a dramatically higher percentage of snailmail packets are misdelivered than IP packets. I am constantly getting mail for my neighbors in unit A in my mailbox, unit B. One wonders if it's my mail carrier or the mail sorters. It's not that they're getting the mailboxes confused, because I get my mail in there at the same time, it's an issue with sorting.

Re:Really . . .

[Effugas]

Snail mail just can't drop packets on the floor as easily...

Quite the contrary; it's far easier to drop a letter on the floor. A letter has mass. ;-)

Re:Really . . .

[chgros]

Snail mail can easily have dropped packets
Yes, especially mail-in rebates

Re:Really . . .

[paraax]

As does a IP Packet, really... at any given time the packet must exist as electricity or photons both of which have mass. On the other hand, the information is independent of its mass.

Re:Really . . .

Actually, in most offices it's the carriers job to sort the mail for his own route. Every carrier does his route just his way (with a lot of small changes inside the larger route plan). It would be impossible for someone else to sort the mail accurately -- Then again, maybe that's your whole point!

Re:Really . . .

[menscher]

at any given time the packet must exist as electricity or photons both of which have mass

Umm, no. Photons do NOT have mass. And electricity is the movement of electrons. Movement doesn't have mass.

Re:Really . . .

[mlk]

Snail mail just can't drop packets on the floor as easily...

You don't live in the UK do you?

Re:Really . . .

Hmmm... In 8 years of doing rebates I've received all but I think 2 without hassle (Minus the one where somebody forgot to save the code from their e-filing so they couldn't get that back...the company refused to even talk about it or anything). A couple took a bit of work because Staples put the wrong stuff on thier receipt for that rebate and it got sent to the wrong offer number. It got taken care of. Beyond that I have had only one other problem, again with staples cuz the sales lady told me the product qualified for rebate and it didn't. In the end I managed to get it however, staples tore the UPC off of a correct product and rang it up and then returned it but let me have the receipt. Hehehe. Oh well, I got my money. So in all this time I've done a good 50+ rebate offers with basically 100% success. So beyond errors on my part or others, 100% of my rebates have been honored. That means rebate offers are real and valid, and in my experience they work. I just guess the real problem is even slashdot users on the whole are too stupid to read the forms right and photocopy everything before they send it in.

Re:Really . . .

[funk_phenomenon]

Movement of elecrons doesn't have mass, it has inertia, since the electrons contain the mass. As for photons, no mass, on interia.

Re:Really . . .

[WhiteDragon]

or in netflix dvds...

Re:Really . . .

[WhiteDragon]

well, interestingly enough, photons do have mass (in the form of energy) but they have zero "rest mass" (except that a photon can't be at rest afaik). They do have inertia, that is how a light sail works.

Re:Really . . .

[merlin_jim]

Snail mail just can't drop packets on the floor as easily...

Quite the contrary; it's far easier to drop a letter on the floor. A letter has mass. ;-)

Not to be nitpicky...

oh fuck it, yeah I'm being nitpicky.

Mass does not allow you to drop something on the floor. Weight allows you to drop something on the floor.

And packets do have weight. We would just need to be orbitting a black hole at the event horizon (impossible, I know) in order to drop a packet far enough to hit the floor. I guess you COULD put the packet on a fiber line and cut the fiber and aim that at the floor, but that would be more like throwing it at the floor than dropping it...

Re:Really . . .

[Effugas]

Aha, but I outnitpick you! You see, I specifically wrote that it was easier to drop a letter on the floor, due to its mass -- not that it was impossible to drop a photon.

And objects have mass, not weight. Weight is an environmental factor, not an inherent one. Various environments will imbue a different weight upon an object, but its mass is an inherent part of its nature. It is this mass that is attracted to the prototypical floor with The Earth below it.

Black holes, by contrast, don't have floors.

--Dan

Re:Really . . .

[merlin_jim]

Ahhh that easier qualifier is in fact a better nitpick.

I would like to say that it is not the mass that lets one drop a letter, it is the weight. Were one in microgravity and one let go of a letter in the middle of the room, it would not be attracted to the floor. It is the weight, the force of gravity on the letter, that causes it to drop.

Re:Really . . .

[PateraSilk]

Totally OT, but:

Photons *do* have inertia. That's what makes lightsails work.

From a quick Google search, here's some math that says photons do have inertia.

My University already monitors content,

[asl24]

and you can bet your bippy (who really knows what that means anyway) that we get kicked out of school if caught looking a things we oughtn't be.

Re:My University already monitors content,

[DerProfi]

that's sweet bippy, you insensitive clod!

BIP

The power of the Darknet

[techno-vampire]

Come to the Darknet, little cracker; you know you want to.

Very Interesting

[DeltaSigma]

It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

I like the idea, and wish I had the corporate status to consider an implementation at my company.

Re:Very Interesting

[0racle]

You can set a honeypot like honeyd to essencially passivly capture all traffic to a subnet, which would log all worms as well. So a darknet is a lot like a honeynet, except you can't do as much with it.

Re:Very Interesting

[mikael]

Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

Going by the junk mail I receive in my domain site, you don't even need a valid E-mail address. The spammers just create a @yourdomain.com address and take their chances with a catch all E-mail address.

Re:Very Interesting

[DeltaSigma]

So I see. Well that's good to know. I never invested the time to look into real honeypots, as I don't really have a network of computers lying around.

I thought the big draw on honeypots was that they were supposed to look like a single, easily-compromised, and thus desirable system when there were real hackers trying to break into the network. I had no idea it could tackle worms pinging random hosts as well.

So it would seem that a darknet is essentially redundant to a very customized honeypot, correct?

Re:Very Interesting

[Zocalo]

I like the idea, and wish I had the corporate status to consider an implementation at my company.

You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.

You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.

Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(

Re:Very Interesting

[0racle]

A non-interactive, specifically configured honeypot seems like a good way to describe it ya.

When you think about it, it makes sense that a honeypot could do this in its normal course of operation, since most unwanted traffic is not specifically aimed at you, but rather just someone looking for something to do, if it wasn't able to respond to random pings like this, its useless for most of the unwanted traffic you want it to absorb.

Re:Very Interesting

It's an interesting idea, but worms can defeat it easily. They just need to watch the outgoing traffic, and only attempt to contact hosts that the client has already contacted itself.

Re:Very Interesting

[cavebear42]

I have also never thought of this and have never set up a honeypot. I deal considerably with virus patching and do have the corporate status to consider this. Does anyone know of a good, free, Windows based solution? (I am well aware that this is a linux heavy board but the management is always more comfortable when I bring Windows solutions to the table in a Windows shop.)

Re:Very Interesting

[cuban321]

What firewall software are you using?

Re:Very Interesting

[Zocalo]

I have a Draytek Vigor 2600 series DSL router and use the the onboard firewall (I think it's IPF) to actually redirect the traffic onto the LAN with the bogus MAC. The traffic is then directed to a dedicated port and VLAN on my Cisco switch via the IOS config, keeping aberrant traffic as far away from other traffic as I can. The only other device on the VLAN is my old Toshiba which is, by default running IP less.

The Tecra is currently running Fedora Core 1 with IPTables enabled and a bunch of IDS and traffic capture tools installed. Finally, I have modified numerous scripts to seamlessly enable and disable IP on the box if I want to run the Honeypot or anything else that requires a real IP address - I have enough IPs that I don't need to bother with NAT. There is also some basic checking in place to make sure if I run two scripts that would bring up the IP interface then shut the first down, it doesn't bring down the IP interface with it.

I want one!

[BoxOfCuriosity]

I want an IP in the darknet!

I can hear the cry of the children everywhere!

Oh yeah! and whats an IP?

The Box is Open

But then

[trialsboy]

Ok, it's a really good idea, but catching the naughty traffic isnt the hard part, what does it do witht he naughty traffic it gets, just make a pretty graph?

Re:But then

[drinkypoo]

How about logging it and initiating some security rules with it? It should be simple enough to write a little daemon which will watch for log messages and institute temporary (or not temporary) firewall rules to block traffic from those hosts. The nature of the block (temporary or non) can be contingent on the type of traffic. Illegitimate connections on ports known to be used for undesirable activity would be grounds for a longer block than, say, a connection to port 80 on an IP address adjacent to a legitimate webserver. (People do mistype addresses occasionally and there are legitimate reasons to access hosts by IP, like when name resolution is broken and you need to get a file onto the machine to fix it.)

Re:But then

[merlin_jim]

I'm thinking of making an implementation that heads off to our forest and deactivates the computer account when it gets a couple bad packets, while paging our admin. Might be a pretty simple way to stop worms before they get to far...

Of course this is for internal computers, but we have a DMZ to take care of external baddies...

The problem with what you propose is that you need a firewall between you and the bad computer for it to be effective. Our problem has been the internal worms once activated. And more often than not those get in through ways and means that can't be protected against. Like that time I let SQL Slammer in by hooking up to the net at home, hibernating, and taking my laptop in to work the next day. Sure I use a firewall at home now (I didn't care enough to do so before), and sure all our laptops have personal firewalls on them by default now, but still... the damage was done once it got into the network...

Re:Slashdot "punishment" problem

[mcgroarty]

but don't punish people for being funny!

I have read thousands of Slash posts, and I promise you that being funny has never been a problem.

Seriously. I've read Dilbert and User Friendly, and what passes for +1 Funny with you folks isn't. It's complaining with community tech jargon thrown in, or it's complaining, or it's misuse of community jargon by outsiders.

I'm not the only one who's made this observation. You guys need a serious humor overhaul. Look to some humor sources from better-adjusted people to fully understand your problem.

LOL, I hate Monday too, John Arbuckle. Let's see what ole Marmaduke's up to.

Analyzing the Witty worm with a massive darknet

[G4from128k]

The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.

Re:Analyzing the Witty worm with a massive darknet

Try this link for the analysis of the Witty Worm.

Re:Analyzing the Witty worm with a massive darknet

[br0ck]

I believe you meant this for your first link.

Re:Analyzing the Witty worm with a massive darknet

I think you meant this.

ARIN

[EdMcMan]

Somehow I doubt ARIN and IANA will like this.

Re:ARIN

[Autonin]

Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.

I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.

Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.

Re:ARIN

[EdMcMan]

Well, you need to have a certain amount of host usage to be able to ask for more space.

I'm sure they will not be happy if Mr. Huge ISP run a darknet and then goes back for more ips because they made the darknet too big.

Re:ARIN

[digitalsushi]

ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.

And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.

Re:ARIN

[Feyr]

one word: SSL sites

Re:ARIN

[pyrrhonist]

one word: SSL sites

$ echo "SSL sites" | wc -w
2

WTF?

Re:ARIN

[Penguinshit]

The idea is that if you need more IPs, you re-allocate some of those you were using for the Darknet. Only when you are exhausted of IPs (meaning no more Darknet left to pilfer) do you go to IANA and request another block.

Re:ARIN

[scottv67]

Autonin:

Are you a Netscreen customer or a VAR?

Just curious,
-Scott

Re:ARIN

[Autonin]

A bit closer than that. :)

Re:ARIN

[scottv67]

I see... ;^)

-Scott, ex-customer, current VAR. :^)

Re:ARIN

[colinleroy]

one word: mod_ssl

Re:ARIN

[Hobophile]

According to the mod_ssl FAQ, you still need IP-based virtual hosts for SSL to function properly.

Your comment seems to imply that this has changed, but I can't find any supporting documentation.

HoneyPot?

[molo]

Sounds like a standard HoneyPot, except the only machine on the nextwork segement is a packet sniffer, so the address doesn't have any real destinations.. Not a big deal. I'm sure the honeynet people have done similar.

-molo

Re:HoneyPot?

[j3ll0]

Yeah, agreed, but.....

I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)

Re:HoneyPot?

The purpose of a honeypot is also to catch abberant traffic. Anything out of the ordinary really. A DarkNet sounds to me like it's just a specialized for of honeypot, if anything.

I highly recommend Honeypots: Tracking Hackers by Lance Spitzner for a good read.

Re:Very cool!

[0racle]

A sniffer will sniff all traffic on the wire for malicious activity, where as this, since there is no reason for any traffic to be directed at these addresses or routed to that subnet, you know immediately something is up.

If it seems like you've heard it before, you probably have, its similar if not the same thing to a honeypot/net.

Re:like anyone here as a /32 ip block

/32 is the network filter. That means all you need is a single ip address dumbass

Re:like anyone here as a /32 ip block

[sl0ppy]

a /32 block is a single machine.

aka blackhole networks

Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.

Darknet used as filter.

[jelwell]

An interesting use of a darknet would be to shield a real server from unwanted attacks. Have the darknet relate any internet IPs that contact the darknet to your real server to ignore.

As an example. Setup a darknet on the following IPs:
DARK_A : 204.210.34.1
DARK_B : 204.210.34.3

Setup the real server mathematically between the two darknet IP addresses:
REAL : 204.210.34.2

Now have DARK_A & DARK_B contact REAL whenever DARK_A or DARK_B receive any packets. REAL can be setup to, on the fly, filter out any packets received from the same source as the DARK servers reported.

In a sense you're creating a realtime blacklist. You can set the list on a timed delay to expire. Or even filter out specific packet signatures instead of entire suspect IP addresses.

just a thought...
Joseph Elwell

Re:Darknet used as filter.

[cTbone]

Excellent idea, I think I shall try that out later this week.

Re:Darknet used as filter.

[digitalsushi]

WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

Re:Darknet used as filter.

[jrl]

Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.

To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.

When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.

Imagine if your attacker knew your default route and sent some spoofed packets to .1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.

Best of luck.

Re:Darknet used as filter.

[kiolbasa]

An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.

Re:Darknet used as filter.

[syknes]

Very clever. So I send a bunch of packets to DARK_A and DARK_B with forged sender headers so that REAL starts blocking legitimate traffic from the senders I faked.
Realtime blacklists are lovely tools for denial-of-service attacks. Probably why you don't see more of them out there.

Re:Darknet used as filter.

[Rosonowski]

Heh, but most netsurfing is by DNS. When's the last time you visited a website, drunk, by IP address instead of DNS alias?

Re:Darknet used as filter.

[mhesseltine]

Heh, but most netsurfing is by DNS. When's the last time you visited a website, drunk, by IP address instead of DNS alias?

That actually sounds like a good geek drinking game.

• Player A gives player B a website (www.yahoo.com, for example)
• Player B must navigate to that website, by IP address, within X number of attempts.
• If successful, player A takes a drink. If not, player B takes a drink
• Player B then gives the address to the next player until one person is left standing.

Re:Darknet used as filter.

[Evil+MarNuke]

Tht would b ton of funn wihen Ipv^.

Re:Darknet used as filter.

[mhesseltine]

Tht would b ton of funn wihen Ipv^.

I see you've played this game before.

Re:Darknet used as filter.

[CGP314]

When's the last time you visited a website, drunk, by IP address instead of DNS alias?

When else would you think that was a good idea? : )

Re:Darknet used as filter.

[I)_MaLaClYpSe_(I]

This method is already beeing used by an Intrusion Prevention System: ActiveScout from Forescout.

I have deployed it to protect our companys servers from worms and kiddies because our company is a reseller for it and so it did not cost us anything. But I would not pay anything (or at least not much) for it, because it can't defeat a blackhat targetting your webserver. And I dont fear worms and kiddies, as my servers are properly patched and my firewall is configured correctly. Also I expect the firewall vendors to include similar features in their products soon.

But on the other hand, if someone would want to implement the ActiveScout engine as open source software, I would not hesitate to suggest to every company to dedicate a linux box for this purpose. (I am a Security Consultant)

Re:Darknet used as filter.

[Rosonowski]

Ok, I can concede as much.

Darknet not needed

[lukewarmfusion]

I have a whole list of bookmarks for my naughty traffic.

Seriously, though... I have a spare wireless router set up at work that's easily hacked, easily found, and logs every damn thing that touches it. Our real wireless network is obscured, encrypted, mac filtered, etc. I realize it's not technically the same thing as the post describes (I guess you'd call it a honeypot network or something) but it's the same idea.

Of course, nobody will care if a hacker makes his way into our network (honeypot or not) unless he does some "damage."

Re:Darknet not needed

>I have a whole list of bookmarks for my naughty traffic.

But is any of it Abberant?

Re:Darknet not needed

[hearingaid]

That's not a honeypot. It's not really either a darknet. It does have elements in common with both, though - a decoy network?

A honeypot is a server that appears to be riddled with security holes. What you have isn't a server, so not a honeypot.

A darknet is an IP-addressable network that appears to be not in use. What you have isn't IP-addressable, so not a darknet. We need a new phrase :)

Re:Darknet not needed

[yo5oy]

So what is an IP-addressable network? Could the wireless decoy router have an IP address that is accessible to the outside world? Yes. Could that same wireless decoy be the gateway to public IP addresses that are not used? Yes. Why isn't it a darknet then? I don't understand. The OP did not specify if the wireless router was publically 'adressable' or not.

Re:Darknet not needed

[hearingaid]

Um.

If it's a gateway, then it's a gateway to the Internet. You can't just be a gateway to part of the Internet... by definition. Do you know anything about how routers work?

And it wouldn't be useful if the decoy router was publically addressable. Random peeps would just hang around and steal his bandwidth; it'd be a wardriving target.

Dark*

[whovian]

Hey! Who knew that the net was missing?

Re:like anyone here as a /32 ip block

[ErichTheWebGuy]

like anyone here as a /32 ip block

Maybe you should have learned networking before posting that. You have a /32 block, I do, and so does everyone else here. A /32 block is a single ip address. People with DSL connections, who get more than 1 ip allocated, are perfect candadites. I can even get additional ip's from my cable company, on request, for no additional charge (at least that was the case about a year ago, I heard they charge like 3 bucks a month now).

HoneyPots

[xplosiv]

What's the difference between a darknet and a honeypot/net setup? Both seem to have the same goals, and both use some IP space to detect potential attacks.

Re:HoneyPots

[chew8bitsperbyte]

The difference between the honeypot and the darknet seems to lie in how each advertises itself. While the honeypot can be easily seen on a network as a node with ports open on a network (to attract malicious traffic), the darknet merely acts like fly paper. It traps traffic that lands within the designated IP block.

Re:HoneyPots

honeypots emulate a "real" machine. they provide "real" services and have "real" filesystem, etc. these are designed to analyze human activity (cracking methods and tools).

darknet seems to be logging traffic to the undefined addresses instead of dropping packets on the floor or sending icmp error responses. darknets don't appear to actually respond to traffic (analyzing worms / automated tools, no intelligence behind them).

Am I the only one

who saw their web site and was transported back to 1996? I half expected a looping MIDI background song, and a request for some obscure, obsolete plugin, or maybe a Netscape 3 Now! button.

Seriously, if anyone from there is reading this, ditch the ugly background image, and get some up to date design!. Sheesh. Just like a Welshman to have an ugly webpage.

Re:Am I the only one

well now you see what you get from a "vi powered" site.

C-x c

Re:Am I the only one

[88NoSoup4U88]

Yes, because finding the stuff i want on the second site you referred to is much easier.

Waitaminute !

Re:Am I the only one

[negaPLuCK]

"upto date design" is for marketeers. Simplicity is for conveying information. If you dont like it, don't read it.

Re:Am I the only one

[yo5oy]

the page style may be outdated. it may be unappealing to some tastes, but it is light on my bandwidth and theirs, provides an easy to navigate interface to access information quickly, and looks fine in a console/xterm window. i still use links, lynx, to browse. i use mozilla firebird and dillo on boxes with guis.

Re:Am I the only one

I actually agree with the other poster who said it looked like it needed a Nestcape 3 Now! button. And the reason is not that it's too simple -- I like simple pages. The reason is that it uses an ugly background, and has a badge proudly proclaiming what it was developed in (as if anyone cares). :)

I would have thought...

[syousef]

...there are easier ways of finding Pr0n aren't there? Like opening up your spam folder :-)

Re:I would have thought...

Or your "Download" folder.

Re:like anyone here as a /32 ip block

[zerocool^]

a /32 block is a single machine.

A /32 is a single routable IP address.

OK.

[Luke727]

But why do I keep getting packets from Microsoft?

I don't get the complexity

[DDumitru]

The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.

For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.

Some example numbers (none of which are real)

Unused address to watch: 10.11.12.13
Interface on which you receive traffic: eth0
A fake interface to route to: tap0

Configure your server to ARP the extra addresses:

arp -Ds 10.11.12.13 eth0 -i eth0 pub

Setup a "tap" device to route the traffic to

tunctl -u nobody -t tap0
ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up

Setup a "route" to the device

ip route add 10.11.12.13 dev tap0

At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.

For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.

This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.

Have fun.

Re:I don't get the complexity

Your idea of binding addresses through arp works almost as well, but it is not the same. Once you bind an address through arp, the interface will respond to arp requests. This goes against the author's idea of having absolutely no outbound on the sniffing interface. You can probably get along without it, but it's nice to be able to put up firewall rules that block all outbound and inbound traffic of all types on the sniffer interface, so that you know that anything you collect is genuine Bad Data.

Also, the approach of using an external router helps in that it allows you to direct packets from all over the place to your darknet machine. If you use arp, that will only direct traffic for IP addresses that are already routed to the network. So, if you route based on x.x.x.x/24 networks as it is and you want a darknet that captures data from outside one x.x.x.x/24 network, then you'll need to make changes on the router *anyway*. Sooner or later, it just becomes cleaner and simpler to dedicate a router to the purpose or at least make some changes on the router.

Re:I don't get the complexity

[DDumitru]

You are correct if you are going to route "big chunks" of address space. On the other hand, most of us (at least those with some colo machines at our disposal) don't have spare /24s laying around [and if you do you should give them back to ARIN]. Also, it is arguably better to watch 256 "random" addresses than 256 in a row, so watching a bunch of small blocks is actually better than grabbing a big contiguous block.

A couple of other points here. ARP does not actually create any extra traffic on the interface that is being watched. In this example, the ARP goes from eth0 to the upstream router. You are packet sniffing tap0. Thus tap0 will show absolutely zero outbound traffic (it cannot because there is no "client" application talking to it). Regardless, we are talking about IP here. If you have traffic reaching your interface that it not IP (and ARP is not IP), just why did the router forward it to you anyway.

If you have a lot of nets that need to be routed this way, you can still do it. There is nothing wrong with static routes that go thru 5 systems on the way to the tap device. These can cross local LAN segments and provided there are no firewall rules that disallow it, the effect is the same.

If your purpose is to dedicate resources to this project, then the dedicated network solutions is best. Otherwise, the virtual network solutions that use 'arp' and 'tap' devices gets you 100% of the same traffic to analyze.

My "best" choice if you want to watch a "lot" of addresses would be to run something like LaBrea that responds to "un ARPed" packets. This could be mangled to automatically setup the interface to forward unused addresses within the current block to a tap device. I have not tried this, but it would be fun and not too hard to implement.

No poontang?

I thought that Darknet was that new, badly named interacial pr0n site.

Damn those spamming bastards. Take my $49.99 will they?!

AKA Network Telescopes

[BSDevil]

These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).

Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.

So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

DarkHelmetNet

Naughty will always triumph over good because good is dumb!

Like theapplication process for other universites?

Oh I'll show you Post-Grad at brown you school hopping feind!

Naughty traffic?

[bairy]

"Darknets can provide useful information for tracking the flow of naughty network traffic."

Like, traffic that didn't pay it's taxes or something?

Hey loser...I've got a /8 block

Well, yes it's 10.0.0.0
but I control it...and that's what's important.
Ok, well...yes, I only control it on my side of the router...
sniff...nevermind

Re:Hey loser...I've got a /8 block

> 10.0.0.0 but I control it, on my side of the router

hehehehe :)

But thats only one network, you should see
all the networks I control (192.168.0.0, 192.168.0.1, and a bunch more)

Re:Hey loser...I've got a /8 block

I've got a /4: 224.0.0.0. I can use all the addresses I want from it, and they're all globally routable (on networks that support IP correctly).

Um..

[bingbong]

How is this different than what Lance and the Honeynet ( http://project.honeynet.org ) team are doing?

Flash withdrawls?

[b00m3rang]

It's got the info it needs, and that's all. Must be a member of the Bandwidth Conservation Society. Fine with me.

IPv6

[sploxx]

Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...

Re:IPv6

[glwtta]

I am guessing that the kind of "naughty" traffic this is designed to mintor will also be made obsolete by IPv6's massive address space.

Seems the purpose is to monitor IP scanning activity - something wholly impractical with IPv6.

Re:IPv6

[Nasarius]

something wholly impractical with IPv6

Brute force scanning, yes. But plug into the IANA/ARIN/etc databases and you can narrow it down quite a bit.

Re:IPv6

[hearingaid]

Well, at least until everybody's wristwatch is in possession of forty-two IPv6 addresses. :)

Re:IPv6

[CaptainTux]

I am *so* tired about reading how we don't need something because IPv6 will come in and raise our children, save our souls, and feed every man, woman, and child on the face of the planet. IPv6 *is* a good thing and it will solve many of our current security concerns. But - and this is the important point so read carefully - it isn't widely adopted yet and probably won't be for a number of years to come. So it doesn't *matter* if IPv6 would solve the problem now. We don't have it deployed well now so we use a stopgap solution until then.

Re:IPv6

[glwtta]

Nobody is saying we don't need anything because of IPv6. We were just wondering how the eventual adoption of IPv6 will affect the technology being discussed.

So, you know, keep your panties on.

Re:IPv6

[puhuri]

Well, if you think that it is practical to scan some 2^64 hosts in every network. There is no need to use MAC addresses as a base for a public IPv6 address. And there are lots of networks: the 6to4 alone gives 65536 networks for every IPv4 address in use. For every IPv4 address in use, there is 2^80 possible IPv6 addresses. To scan that 80-bit address space with 400 Tbit/s link, you would need tens of thousands years to probe just one port.

Slasdot should allow <sup>.

Re:Slashdot "punishment" problem

[pseudochaotic]

Question: Why should i believe anything a post at -1 has to say about good karma?

very useful

[vmircea]

I would definitely recommend trying this sometime, if you don't have a great router (like I do at home *kicks his netgear*) then you can use something like this to watch things, you never know what kind of interesting things you might find (worms anyone?) I've actually found a few odd things using this, such as a windows worm on one of my Windows boxes that I wasn't aware of and that was scanning my whole network. So consider using one of these, you never know what you might find. And kudos on the directions, they are very well done.

Darknet....

Sounds cool, but I wonder what the FEDS would think.

Since the honeynet was borderline illegal depending on how you set it up(interception of communications is a federal crime) this could also fit that bill.

Re:Slashdot "punishment" problem

Well, you see things change, and now the grandparent post is sitting pretty at +5 interesting, while you're still kicking your heels at 1.

That in itself is pretty funny.

Santa has an address

[brunes69]

Santa Claus
North Pole, Canada
H0H 0H0

If you write Santa at this address, he will write back. Not 100% sure USPS will send it over the border, but if they do, it'll work.

( Canada Post sends out replies to children each year; I think employees at the post office volunteer and take the time to hand-craft a personal reply to each and every letter, though they may be auto-generated nowadays, i am not certain ).

Re:Santa has an address

Yeah, great. Now everyone will write!

"OMG! They slashdotted Santa!"
"Those bastards!"

Re:Santa has an address

Santa didn't write that letter? I think I need to cry now

Re:Santa has an address

[mlk]

They do (or did) the same in the UK.
But I think just "Santa" would do.

Re:Santa has an address

[Zachary+Kessin]

And if you send mail to
G-d
The Kotel
Jerusalem
Israel

(Kotel is the Hebrew name for the western or wailing wall)

The Israeli post will deliver it to the Western wall where it will be put between the stones of the wall. Putting notes to G-d at the Kotel is a very old Jewish tradition. They bring the letters there several times a year.

Re:Santa has an address

I AM Santa, you insensitive clods!

Re:Santa has an address

[brunes69]

Meh, I love the whole address. I think the very fact that our postal code format allows you to write H0H 0H0 as the postal code is cute :)

Re:Santa has an address

I seem to remember an article once (possibly from slashdot) where a man wrote a letter to santa via tracked fedEx. Apparently it ended up somewhere in colorado and he recieved a response.

I wish I could find the link...

Re:like anyone here as a /32 ip block

[sl0ppy]

routable or not, /32 is a single ip address.

192.168.1.23/32 is still an ip address.

Re:Very cool!

[AndroidCat]

Actually, when it only covers a /32 (one IP address) it sounds a lot like a Goober With Firewall. :)

Re:like anyone here as a /32 ip block

I dont have a /32 you insensitive clod, I access the web over internal proxy. No direct external access.

The problem with the DarkNet...

[FatTux]

...is the uptime, no one can make it beyond 99 minutes!...

Sorry guys, couldn't resist...

Re:Naughty traffic ?

[LoisMustDie]

OK, moderators. A sense of humor? Anyone?

Re:Slashdot "punishment" problem

[Hatta]

Well, I guess you can't see it, but on my user page it says "Karma: Excellent" They could mod this one down to -1 it wouldn't matter. You really have to be a consistant ass for a long time to damage the karma.

Re:like anyone here as a /32 ip block

Duh, Im NATed on an university and I DONT have a public IP. :)

Oh Great...

Now when I type a wrong IP address, John Asscroft will be on my ass....

Re:Oh Great...

There's the new thing called DNS you know..

Re:Slashdot "punishment" problem

[ikkonoishi]

I have thought about this for a bit now.

You are right that this is unfair.
It is just ripe for abuse.

If you see something that you don't like at +4 Informative. Instead of modding it -1 Overrated which could later be removed in M2 you could mod it +1 funny and prevent any further karma increases for that user.

A few people with mod points could prop up posts they didn't like with +1 Funnys and mod them down until the account is basically muted as a Troll.

(This is made difficult by the current protections of limited and basically random gaining of mod points, but if you really had a grudge and a few friends you could do it.)

Now I know that the purpose of the +1 Funny != Karma restriction is to encourage serious useful discussion, but I think protections need to be put in place to prevent it's abuse.

One very simple way to do this is to make Funny moderations not count for the purpose of allowing further moderation.

So you could end up with posts marked +N Funny to an arbitrary value of N, while only allowing karma destructive mods to be applied if there was additional karma building moderations.

So if it is modded +3 Funny it can not be modded -4 Troll, but if it is at +3 Funny +1 UnderRated it could be modded to +2 Underated. (All this assumes it is posted at an initial value of 1 for a registered account.)

Frankly this is not the place to discuss this.
Slashdot has a feature request area that is the proper location for your complaint. You will have to register there to make the request, and I don't know what that entails, but if this is important to you then put forth the effort.

True

[Pan+T.+Hose]

That's true. As a matter of fact I do happen to have an /32 ip block ("/32 routable space," if you will, or a "Class D network" with subnet mask no less than 255.255.255.255) and also another /8 one--namely 127.0.0.0/8--a real Class A network with subnet mask of 255.0.0.0, i.e. all IP addresses from 127.0.0.1 up to 127.255.255.255, exactly 16777215 (sic!) routable IP addresses, which I proudly administer, and which happily "capture naughty traffic" on a daily basis (like there was no tomorrow, in fact) thanks to images.google.com. That is why I find this article especially interesting and insightful.

Re:Slashdot "punishment" problem

The thing is, if you don't find them funny/humorous then it's your problem, not theirs :)

This is not a new concept

[fodderb0y]

It's also called a network telescope. CAIDA has been implementing this type of thing for several months.

HoneyNet...

[jonasmit]

would be a better name since HoneyPots have been discussed for quite some time. And they are probably a bit safer than HoneyPots from a legal perspective (probably less you can do than compromising a HoneyPot machine).

Actually, we have had these for about that long...

[Lux]

Down at SDSC they have a little less than 1% of ALL of the routable IP space dedicated to doing this stuff. They call it a network telescope, and use it to study DOS activity and stuff.

http://www.caida.org/analysis/security/telescope /

"Inferring Internet Denial-of-Service Activity" [2001] is good reading.

Darknet, invite naughty traffic on your net today!

[pgnas]

I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.

USSR

In Soviet Russia, the Darknet scans you.

Re:like anyone here as a /32 ip block

[radiophonic]

I've got a /666 block. It's a devil to manage.

Ownership

All your data packets are belong to us!

Re:Slashdot "punishment" problem

I've read Dilbert and User Friendly

Please tell me you're not comparing User Friendly to Dilbert. UF is the same old tedious shit, over and over and over again...

Life imitating art again?

[randomErr]

This is just like this issue of.

Weird.

So do packets..

[rmosenf]

How else would pidgeons be able to carry them? RFC 2549

Nitpickers Anonymous.

[hearingaid]

You know that FTP isn't really client-server, right?

Or at least, it's only really client-server in passive mode. The rest of the time, it's two servers talking to each other in the dumbest, most broken way imaginable.

(And if you have no idea what I'm talking about, examine the mechanics of the PORT command. And understand why firewall designers the world over just wish everybody would switch to WebDAV over HTTPS, or sftp, or some other equivalent, so we could pretend FTP never existed.)

Re:Nitpickers Anonymous.

And everybody else wishes firewall designers would get their heads out of their asses and implement what iptables already has had for ages: FTP connection tracking.

Re:like anyone here as a /32 ip block

I've got a /666 block. It's a devil to manage.

Ya know, I have seen some pretty bad stuff on slashdot. But, I gotta say man, that takes the cake. That was lame on all fronts that I know of, and I just discovered like 8 more levels of lameness just from that post. Pardon me while I go reexamine all that is good in this universe, my faith is severely shaken.

Re:Slashdot "punishment" problem

[dasmegabyte]

But...but...

Bill Gates is a borg! It is funny because he wants to assimilate us all with his nefarious popular operating system!

Don't you get it!

Re:like anyone here as a /32 ip block

[Graff]

I've got a /666 block. It's a devil to manage.

I thought it was a daemon to manage?

:-)

Re:Very cool!

[jest3r]

just another excuse for sysadmins everywhere to amass large quantities of pr0n in a short period of time ...

Re:Very cool!

Yes, I run something like this on a couple of /16's ...

Darknetting/Honeynetting works well as part of your security systems, if implemented intelligently.

Re:Naughty traffic ?

We moderators do not have a sense of humor that we are aware of.

Re:Slashdot "punishment" problem

I think we should punish people no matter what they do. It's fun!

From darknets to an Early Warning System

[actu]

A darknet is just one tool that is useful in a Service Provider environment, this presentation contains a lot more (BGP, honeypots, worm and DDoS detection, etc):
PDF
PPT

Re:like anyone here as a /32 ip block

Maybe you should have learned networking yourself. A /32 mask means that all 32 bits are part of the network and subnet addresses, leaving... 0 bits for hosts!

A /32 mask is meaningless. The largest mask you can have, leaving two addresses, (one for each end of a point-to-point link) is /30.

hey

shut the fuck up

Slow Down Cowboy! Slashdot requires you to wait 20 seconds between hitting 'reply' and submitting a comment. It's been 19 seconds since you hit 'reply'. Chances are, you're behind a firewall or proxy, or clicked the Back button to accidentally reuse a form. Please try again. If the problem persists, and all other options have been tried, contact the site administrator[fat fuck cowboi kneel].

And then what?

[cyclist1200]

Slap it on the nose with a newspaper and say, "Bad! Bad packet!"?

This wouldn't be a dark net...

it would be a trap net. If anything were to wander it's way, it'd be logged, and investigated. Anything that regularly scrubs the internet will trip on one of these addresses, sooner or later. Hopefully... if the trap addresses are actually spread around, and not just in the same basic network address...

Hmm... I wonder what'll happen when googlebot drops by for a visit... :)

Why waste the address space?

I have one IP address that runs a FreeBSD 4.10 WWW and FTP server. Basically any traffic for other ports is "naughty", and I get plenty of it. So much so that the I had to patch the ipfw2 PR where the default log limit cap wasn't working. The SMB ports usually hit the limit first, then the deny all rule at the bottom.

Also any anonymous FTP attempt is considered "naughty" as I don't do anonymous, nor do I advertise FTP anywhere. No domain name like ftp.foo.com, or ftp URIs to the IP address. So there is no reason, other than port scans for that traffic. Occasionally I look at the logs and e-mail ISPs of the more persistent probers. But mostly I just shake my head, and worry about my parents AOL dial up XP box.

And I'm sure I could do something with some of those ugly URLs my Apache server laughs at. Anyone got a good Apache2 module that emulates the IIS bugs to honeypot an attacker? That might be amusing.

Another DarkNet Story

More than a decade ago we built a "darknet" out of several unused class A addresses which we had access at the time. This was an experiment and we coordinated with the right network operators and funding agencies to make it all right. All networks were routed to our capture network containing only a packet sniffer. We kept the network in place for a month. The result: an amazing variety of "broken packets" which one Internet guru dubbed "bogons" arived at a low but constant rate. The three class A networks allowed us to see effects across part of the network address "spectrum:" we noticed, for example, that some bogons from the same host showed up on all three networks, spreading broken packets across the address space! We traced many bogons to bad UNIX ports and could, in some cases, locate the specific porting error responsible. Big and little endian problems accounted for many. A lot of people ran these broken ports and, due to the random luck of their address assignment, the port generated orphaned bogons onto our three class A networks. and hence to our darknet. One day we captured bogons containing commands for a distributed database. We traced it to a development lab run by a large computer manufacturer who thought no one knew that they were working on a new distributed database product. We were able to discover the origin and cause of many bogons, however, in the majority of cases we could not establish the bogon's cause or its origin. Our "darknet" experience showed a constant low level chatter of bogons througout the Internet. There are no "silent" slots in the address space, unused, where no one routes traffic. Unexpected things arrive and await discovery.

oops

[sukotto]

D'oh! At first I wondered why /. was posting about capturing naughty pictures by using driftnet with webcollage.

I tried this once but my screen's too visible to my boss whenever he snoopes around the cubefarm. The first porn pic I saw I decided I'd better shut webcollage down.

I'm glad someone's having fun. But they're either braver or dumber than me

Re:Slashdot "punishment" problem

[Hobophile]

I think the funniest posts on /. can be found in the poll comments.

Granted, there's a lot of garbage (redundant Cowboy Neal / insensitive clod comments), but the discussions typically veer wildly off-topic and are frequently hilarious.

Re:Slashdot "punishment" problem

If you think you're a funny person who some people don't get, I'd bet you really are a troll who some people find funny.

Why don't you stop trolling and your karma will be fine. It very easy to get karma here. Anyone who whines about losing karma isn't the kind of person I want commenting.

If you had any guts, you'd whine in your journal. Then people could see your comments and explain why you're being a troll.

Protocol-dependent coding.

[hearingaid]

When you start coding the protocol right into the packet level, you increase the complexity of the firewall. In some circles, this is seen as a Bad Thing, the basic logic being that simpler programs are more bug-free.

Also, you're increasing the overhead by requiring the packet filter to read the content of packets, instead of just their headers. That means slower throughput, especially when dealing with large networks.

And finally: FTP's the only protocol designed in this ultra-stupid way in the history of IP. FTP is so obviously a relic from the days when .edu was the dominant TLD in other ways, too, like cleartext passwords (ugh).

Honey pot?

[Recovering+Anonymous]

How does this differ from a honey pot?

Re:Honey pot? whoops I'm mean honey net

[Recovering+Anonymous]

Scratch that I meant honey net

Re:Slashdot "punishment" problem

You're forgetting who the audience is. Dilbert, etc. are more for the general public, while /. humor is intended for the crowd who cares to waste time reading comments on a certain niche blog/news site called, "Slashdot. News for Nerds. Stuff that matters." Read the name of the site again and realize where you are. See the difference? This is a community of mostly nerds who not only know what AYBABTU stands for, but what its origins are. People who think Marmaduke is funny are not expected to laugh at--or even understand--/. humor. Look elsewhere for the tired ole (sic) complaining about Mondays, my kids made a mess again ha ha, etc. If you understood the language and culture here, you'd see how wickedly funny some of the comments are.

No Energy Crisis

[Timtimes]

Just a morality crisis with Enron whores raping grandma of her pension money. http://www.sundayherald.com/42433 Enjoy.

Useful antivirus tool

[SoopahMan]

This could be a useful tool if it were added to an Anti-virus program. The AV software could track known portions of the DarkNet, especially behind a Router, and wait for any process to fire off at part of the Dark - if it does, prompt to kill it, or just kill it, depending on a user pref.

Many many viruses prefer random blasting to IPs, even some who mix that with IP collection. It would catch a lot of viruses in the act - partly because a virus would have to be that much more complex, that it would have to have a reliable way of collecting good IPs before attempting to spread.

McAfee? Symantec? Are you listening? Add this instead of big heavy overreaching scans that crash apps. Are you there?

Darknets, Honeynets, BlackNet

[billstewart]

The term "Darknet" used for pirated content distribution appears in a Microsoft Paper. The term appears to be appropriated from Tim May's Blacknet gedankenexperiment on uses of private communications and digital cash. A few magazine pundits have adopted it, but the term doesn't appear to be in wide use even among pundits.

The Cymru Darknet is something entirely different, and it's not a honeynet either. Honeynets are nice sticky traps waiting to snare actively attacking crackers. This Darknet is primarily a passive monitoring system, and while it will see some active attacks such as port scans, another interesting thing it sees is backscatter from forged traffic, like CAIDA's System is tracking. Many DOS attacks use spoofed packets from random addresses, such as ICMP or SYN floods, and the victims or some routers will send TCP ACKs or ICMP responses back to the (forged) source, and some proportional fraction of that will end up in your darknet's detectors. It won't catch all such attacks - ISPs that want to be good citizens run the RFC2267 / RFC2827 best practices like uRPF spoof-proofing, which prevent their customers from forging packets except from the forger's own subnet address space, so you won't see those, but they're usually much less of a problem because they're easier to block, trace, and shut down. (Some of the cracker tools out there have built-in options to only forge within your /24 for just this reason.)

Blackhole Net

[ripcrd]

So if there are ostensibly no servers or workstations in this submet and it vacuums up all traffic, then it's more of a Blackhole Net. A Honeynet is designed to have fake info and traffic to lure in the hungry cracker, a P2P net is designed to easily share info, the Internet is apperently very good at hooking disparet networks (or spreading penis enlargement pills, no that's my email), and sneaker net is running floppies between computers to share info.

Blackhole Net, where the packets get in, but they don't get out!