Slashdot Mirror
Build A Darknet To Capture Naughty Traffic
DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."
These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.
That's like the mailman trying to deliver letters to Santa Claus, or somebody addressing a letter wrong, thank good I know all those letters are Abberant now.
Your hair look like poop, Bob! - Wanker.
Ok, it's a really good idea, but catching the naughty traffic isnt the hard part, what does it do witht he naughty traffic it gets, just make a pretty graph?
"Pushing little children, with their fully automatics, they like to push the weak around"
I have read thousands of Slash posts, and I promise you that being funny has never been a problem.
Seriously. I've read Dilbert and User Friendly, and what passes for +1 Funny with you folks isn't. It's complaining with community tech jargon thrown in, or it's complaining, or it's misuse of community jargon by outsiders.
I'm not the only one who's made this observation. You guys need a serious humor overhaul. Look to some humor sources from better-adjusted people to fully understand your problem.
LOL, I hate Monday too, John Arbuckle. Let's see what ole Marmaduke's up to.
Good idea to automatically blacklist?
Yeah, a great idea - those forged packets won't surmount to DoS attacks at all!
Sounds like a standard HoneyPot, except the only machine on the nextwork segement is a packet sniffer, so the address doesn't have any real destinations.. Not a big deal. I'm sure the honeynet people have done similar.
-molo
Using your sig line to advertise for friends is lame.
An interesting use of a darknet would be to shield a real server from unwanted attacks. Have the darknet relate any internet IPs that contact the darknet to your real server to ignore.
As an example. Setup a darknet on the following IPs:
DARK_A : 204.210.34.1
DARK_B : 204.210.34.3
Setup the real server mathematically between the two darknet IP addresses:
REAL : 204.210.34.2
Now have DARK_A & DARK_B contact REAL whenever DARK_A or DARK_B receive any packets. REAL can be setup to, on the fly, filter out any packets received from the same source as the DARK servers reported.
In a sense you're creating a realtime blacklist. You can set the list on a timed delay to expire. Or even filter out specific packet signatures instead of entire suspect IP addresses.
just a thought...
Joseph Elwell
I have a whole list of bookmarks for my naughty traffic.
Seriously, though... I have a spare wireless router set up at work that's easily hacked, easily found, and logs every damn thing that touches it. Our real wireless network is obscured, encrypted, mac filtered, etc. I realize it's not technically the same thing as the post describes (I guess you'd call it a honeypot network or something) but it's the same idea.
Of course, nobody will care if a hacker makes his way into our network (honeypot or not) unless he does some "damage."
With all that said, honeynet would seem be a more sensible term for a network like this. It's even sticky, which means people will be getting caught in it more readily, which is precisely what you're going for.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Seems the purpose is to monitor IP scanning activity - something wholly impractical with IPv6.
sic transit gloria mundi
actually a darknet would be a peer to peer group where the users know most if not all other members, such as a Dormitory floor setting up FTP servers and giving accounts to everyone on the floor (not that i have any involvement in that sort of activity)
You sound like my roommate, anything He hasn't heard of isn't legitimate or good enough, which is funny since he won't even accept as valid terms that are listed in the Jargon File)
Snowden and Manning are heroes.
I have thought about this for a bit now.
You are right that this is unfair.
It is just ripe for abuse.
If you see something that you don't like at +4 Informative. Instead of modding it -1 Overrated which could later be removed in M2 you could mod it +1 funny and prevent any further karma increases for that user.
A few people with mod points could prop up posts they didn't like with +1 Funnys and mod them down until the account is basically muted as a Troll.
(This is made difficult by the current protections of limited and basically random gaining of mod points, but if you really had a grudge and a few friends you could do it.)
Now I know that the purpose of the +1 Funny != Karma restriction is to encourage serious useful discussion, but I think protections need to be put in place to prevent it's abuse.
One very simple way to do this is to make Funny moderations not count for the purpose of allowing further moderation.
So you could end up with posts marked +N Funny to an arbitrary value of N, while only allowing karma destructive mods to be applied if there was additional karma building moderations.
So if it is modded +3 Funny it can not be modded -4 Troll, but if it is at +3 Funny +1 UnderRated it could be modded to +2 Underated. (All this assumes it is posted at an initial value of 1 for a registered account.)
Frankly this is not the place to discuss this.
Slashdot has a feature request area that is the proper location for your complaint. You will have to register there to make the request, and I don't know what that entails, but if this is important to you then put forth the effort.
"upto date design" is for marketeers. Simplicity is for conveying information. If you dont like it, don't read it.
I think we should punish people no matter what they do. It's fun!
More than a decade ago we built a "darknet" out of several unused class A addresses which we had access at the time. This was an experiment and we coordinated with the right network operators and funding agencies to make it all right. All networks were routed to our capture network containing only a packet sniffer. We kept the network in place for a month. The result: an amazing variety of "broken packets" which one Internet guru dubbed "bogons" arived at a low but constant rate. The three class A networks allowed us to see effects across part of the network address "spectrum:" we noticed, for example, that some bogons from the same host showed up on all three networks, spreading broken packets across the address space! We traced many bogons to bad UNIX ports and could, in some cases, locate the specific porting error responsible. Big and little endian problems accounted for many. A lot of people ran these broken ports and, due to the random luck of their address assignment, the port generated orphaned bogons onto our three class A networks. and hence to our darknet. One day we captured bogons containing commands for a distributed database. We traced it to a development lab run by a large computer manufacturer who thought no one knew that they were working on a new distributed database product. We were able to discover the origin and cause of many bogons, however, in the majority of cases we could not establish the bogon's cause or its origin. Our "darknet" experience showed a constant low level chatter of bogons througout the Internet. There are no "silent" slots in the address space, unused, where no one routes traffic. Unexpected things arrive and await discovery.