Slashdot Mirror
Build A Darknet To Capture Naughty Traffic
DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."
How do you track so called "naughty network traffic" when it goes to an IP with no services or servers? I guess you could do this with somthing along the lines of a "border" firewall (rather then a NAT system). But few of us have such a setup.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.
I like the idea, and wish I had the corporate status to consider an implementation at my company.
Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes.
Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?
Sigs cause cancer.
What's the difference between a darknet and a honeypot/net setup? Both seem to have the same goals, and both use some IP space to detect potential attacks.
The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.
These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.
Snail mail just can't drop packets on the floor as easily...
How about logging it and initiating some security rules with it? It should be simple enough to write a little daemon which will watch for log messages and institute temporary (or not temporary) firewall rules to block traffic from those hosts. The nature of the block (temporary or non) can be contingent on the type of traffic. Illegitimate connections on ports known to be used for undesirable activity would be grounds for a longer block than, say, a connection to port 80 on an IP address adjacent to a legitimate webserver. (People do mistype addresses occasionally and there are legitimate reasons to access hosts by IP, like when name resolution is broken and you need to get a file onto the machine to fix it.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Yeah, agreed, but.....
I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc
A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.
Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.
I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !!
WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...
My not having heard of it doesn't make it "not good enough", there are plenty of more logical reasons for that. My not having heard of it is enough argument (to me) that it's nothing like a standard term, it's just something that one or two people have pulled out of their ass and it hasn't caught on for one reason or another. This would not apply if it were some field or subject I was unfamiliar with, but as I am not unfamiliar with P2P, but have never heard/read the term "darknet" I can only assume that it is a term in extremely limited use. Like, by wanker pundits who desperately want to be the ones to coin a new phrase.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You are correct if you are going to route "big chunks" of address space. On the other hand, most of us (at least those with some colo machines at our disposal) don't have spare /24s laying around [and if you do you should give them back to ARIN]. Also, it is arguably better to watch 256 "random" addresses than 256 in a row, so watching a bunch of small blocks is actually better than grabbing a big contiguous block.
A couple of other points here. ARP does not actually create any extra traffic on the interface that is being watched. In this example, the ARP goes from eth0 to the upstream router. You are packet sniffing tap0. Thus tap0 will show absolutely zero outbound traffic (it cannot because there is no "client" application talking to it). Regardless, we are talking about IP here. If you have traffic reaching your interface that it not IP (and ARP is not IP), just why did the router forward it to you anyway.
If you have a lot of nets that need to be routed this way, you can still do it. There is nothing wrong with static routes that go thru 5 systems on the way to the tap device. These can cross local LAN segments and provided there are no firewall rules that disallow it, the effect is the same.
If your purpose is to dedicate resources to this project, then the dedicated network solutions is best. Otherwise, the virtual network solutions that use 'arp' and 'tap' devices gets you 100% of the same traffic to analyze.
My "best" choice if you want to watch a "lot" of addresses would be to run something like LaBrea that responds to "un ARPed" packets. This could be mangled to automatically setup the interface to forward unused addresses within the current block to a tap device. I have not tried this, but it would be fun and not too hard to implement.
I was going to mention the Netscreen IDP but you beat me to the punch. I had an IDP that protected 141.106.0.0/16. I had the Honeypot feature enabled so that if you scanned certain addresses, the IDP would blacklist your source address for 30 minutes. It worked *very* well for shunning lazy portscanning kiddies.
The IDP is a very impressive piece of technology. A very good complement to a Layer 3 firewall.
-Scott
[snippet]
A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.
A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.
Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.
[/snippet]
Think this kind of scenario...
A computer gets some form of malware on it that scans random addresses in its attempt to find vulnerable hosts. I'm going to use the name Blaster for this fictional bug...
Now lets assume that the IP for your darknet box is aaa.bbb.ccc.ddd. If the bug randomly chooses your box (which isn't entirely unlikely) to scan, you will instantly know something is up. We're not talking "Oh no the evil **AA is after us!" (where ** is any two letters). We're talking more "Hmmm... Someone is trying to send data to an address that as far as anyone knows doesn't have any device on it." It's safe to consider a box compromised if they try to send data to an address that isn't used.
Stop the Slashdot effect! Don't read the articles!
Luke did not 'defeat' Vader and the darkside. He threw down his lightsaber and it was Vader who rose up and brought an end to the Sith - but not the darkside of the force. Han's daughter briefly dabbled, and Mara Jade could be considered 'dark'.