Build A Darknet To Capture Naughty Traffic

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

Darknets = P2P

darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.
http://www.wordspy.com/words/darknet.a sp

Nothing really new here...

[Autonin]

The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.

You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.

aka blackhole networks

Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.

Re:ARIN

[Autonin]

Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.

I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.

Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.

AKA Network Telescopes

[BSDevil]

These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).

Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.

So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

Re:Darknet used as filter.

[jrl]

Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.

To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.

When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.

Imagine if your attacker knew your default route and sent some spoofed packets to .1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.

Best of luck.

Re:Darknet used as filter.

[kiolbasa]

An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.

Re:Luke

[SIGALRM]

Naw... thats called the Internet.

The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002

Thanks, though.

Darknet, invite naughty traffic on your net today!

[pgnas]

I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.