Slashdot Mirror
Build A Darknet To Capture Naughty Traffic
DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."
darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.a sp
http://www.wordspy.com/words/darknet.
The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.
You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.
-AutoNiN
The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.
Two wrongs don't make a right, but three lefts do.
A sniffer will sniff all traffic on the wire for malicious activity, where as this, since there is no reason for any traffic to be directed at these addresses or routed to that subnet, you know immediately something is up.
If it seems like you've heard it before, you probably have, its similar if not the same thing to a honeypot/net.
"I use a Mac because I'm just better than you are."
Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.
Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.
I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.
Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.
-AutoNiN
The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.
For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.
Some example numbers (none of which are real)
Unused address to watch: 10.11.12.13
Interface on which you receive traffic: eth0
A fake interface to route to: tap0
Configure your server to ARP the extra addresses:
arp -Ds 10.11.12.13 eth0 -i eth0 pub
Setup a "tap" device to route the traffic to
tunctl -u nobody -t tap0
ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up
Setup a "route" to the device
ip route add 10.11.12.13 dev tap0
At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.
For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.
This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.
Have fun.
These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).
Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.
So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.
Cue The Sun...
ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.
And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.
.1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.
To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.
When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.
Imagine if your attacker knew your default route and sent some spoofed packets to
Best of luck.
An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.
Beer wants to be free
Naw... thats called the Internet.
The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002
Thanks, though.
Sigs cause cancer.
Down at SDSC they have a little less than 1% of ALL of the routable IP space dedicated to doing this stuff. They call it a network telescope, and use it to study DOS activity and stuff.
http://www.caida.org/analysis/security/telescop
"Inferring Internet Denial-of-Service Activity" [2001] is good reading.
I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.
An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.
We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases
As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).
Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.
Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.
It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.
If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.