Slashdot Mirror
Build A Darknet To Capture Naughty Traffic
DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."
darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.a sp
http://www.wordspy.com/words/darknet.
It would seem like a good idea to use the info collected by the Darknet to perhaps automatically blacklist those offending IP addresses or perhaps to automatically complain to the offending ISP.
The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.
You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.
-AutoNiN
The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.
Two wrongs don't make a right, but three lefts do.
Abberant doesn't have to mean malicious. It just means that they're someplace they don't belong. If you misaddress a letter, or misdial a phone number, the result is abberant because you end up somewhere you don't belong.
Good, inexpensive web hosting
A sniffer will sniff all traffic on the wire for malicious activity, where as this, since there is no reason for any traffic to be directed at these addresses or routed to that subnet, you know immediately something is up.
If it seems like you've heard it before, you probably have, its similar if not the same thing to a honeypot/net.
"I use a Mac because I'm just better than you are."
Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.
like anyone here as a /32 ip block
/32 block, I do, and so does everyone else here. A /32 block is a single ip address. People with DSL connections, who get more than 1 ip allocated, are perfect candadites. I can even get additional ip's from my cable company, on request, for no additional charge (at least that was the case about a year ago, I heard they charge like 3 bucks a month now).
Maybe you should have learned networking before posting that. You have a
bash: rtfm: command not found
No active services or servers. Key word: active. Passive monitoring would seem to be the rule.
Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.
I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.
Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.
-AutoNiN
The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.
For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.
Some example numbers (none of which are real)
Unused address to watch: 10.11.12.13
Interface on which you receive traffic: eth0
A fake interface to route to: tap0
Configure your server to ARP the extra addresses:
arp -Ds 10.11.12.13 eth0 -i eth0 pub
Setup a "tap" device to route the traffic to
tunctl -u nobody -t tap0
ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up
Setup a "route" to the device
ip route add 10.11.12.13 dev tap0
At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.
For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.
This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.
Have fun.
These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).
Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.
So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.
Cue The Sun...
ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.
And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Waitaminute !
Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.
.1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.
To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.
When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.
Imagine if your attacker knew your default route and sent some spoofed packets to
Best of luck.
honeypots emulate a "real" machine. they provide "real" services and have "real" filesystem, etc. these are designed to analyze human activity (cracking methods and tools).
darknet seems to be logging traffic to the undefined addresses instead of dropping packets on the floor or sending icmp error responses. darknets don't appear to actually respond to traffic (analyzing worms / automated tools, no intelligence behind them).
An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.
Beer wants to be free
Santa Claus
North Pole, Canada
H0H 0H0
If you write Santa at this address, he will write back. Not 100% sure USPS will send it over the border, but if they do, it'll work.
( Canada Post sends out replies to children each year; I think employees at the post office volunteer and take the time to hand-craft a personal reply to each and every letter, though they may be auto-generated nowadays, i am not certain ).
Naw... thats called the Internet.
The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002
Thanks, though.
Sigs cause cancer.
Down at SDSC they have a little less than 1% of ALL of the routable IP space dedicated to doing this stuff. They call it a network telescope, and use it to study DOS activity and stuff.
http://www.caida.org/analysis/security/telescop
"Inferring Internet Denial-of-Service Activity" [2001] is good reading.
I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.
An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.
We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases
As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).
Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.
Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.
It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.
If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.
Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?
Yes, that's a usage I've seen too, for example in this article in Slate.
Or at least, it's only really client-server in passive mode. The rest of the time, it's two servers talking to each other in the dumbest, most broken way imaginable.
(And if you have no idea what I'm talking about, examine the mechanics of the PORT command. And understand why firewall designers the world over just wish everybody would switch to WebDAV over HTTPS, or sftp, or some other equivalent, so we could pretend FTP never existed.)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
The equivalents in Linux would be ipchains and iptables, I do believe. (My firewall's FreeBSD, never touched any Linux firewall rules.)
These tools allow you to log raw packets. Handy.
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
A honeypot is a server that appears to be riddled with security holes. What you have isn't a server, so not a honeypot.
A darknet is an IP-addressable network that appears to be not in use. What you have isn't IP-addressable, so not a darknet. We need a new phrase :)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
The Tecra is currently running Fedora Core 1 with IPTables enabled and a bunch of IDS and traffic capture tools installed. Finally, I have modified numerous scripts to seamlessly enable and disable IP on the box if I want to run the Honeypot or anything else that requires a real IP address - I have enough IPs that I don't need to bother with NAT. There is also some basic checking in place to make sure if I run two scripts that would bring up the IP interface then shut the first down, it doesn't bring down the IP interface with it.
UNIX? They're not even circumcised! Savages!