Slashdot Mirror

← Back to Stories (view on slashdot.org)

Build A Darknet To Capture Naughty Traffic

Posted by timothy on from the then-bend-it-to-your-evil-will dept.

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

10 of 266 comments (clear)

  1. Very Interesting by DeltaSigma · · Score: 4, Interesting

    It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

    I like the idea, and wish I had the corporate status to consider an implementation at my company.

    1. Re:Very Interesting by Zocalo · · Score: 5, Interesting
      I like the idea, and wish I had the corporate status to consider an implementation at my company.

      You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.

      You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.

      Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(

      --
      UNIX? They're not even circumcised! Savages!
  2. Re:Luke by SIGALRM · · Score: 3, Interesting

    Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes.

    Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

    --
    Sigs cause cancer.
  3. HoneyPots by xplosiv · · Score: 3, Interesting

    What's the difference between a darknet and a honeypot/net setup? Both seem to have the same goals, and both use some IP space to detect potential attacks.

  4. Re:Really . . . by LostCluster · · Score: 5, Interesting

    The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

    These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

    Snail mail just can't drop packets on the floor as easily...

  5. Re:HoneyPot? by j3ll0 · · Score: 5, Interesting


    Yeah, agreed, but.....

    I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

    A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

    Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

    I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)

  6. Re:Darknet used as filter. by digitalsushi · · Score: 4, Interesting

    WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

    --
    slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
  7. IPv6 by sploxx · · Score: 4, Interesting

    Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
    This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...

  8. Re:I don't get the complexity by DDumitru · · Score: 3, Interesting

    You are correct if you are going to route "big chunks" of address space. On the other hand, most of us (at least those with some colo machines at our disposal) don't have spare /24s laying around [and if you do you should give them back to ARIN]. Also, it is arguably better to watch 256 "random" addresses than 256 in a row, so watching a bunch of small blocks is actually better than grabbing a big contiguous block.

    A couple of other points here. ARP does not actually create any extra traffic on the interface that is being watched. In this example, the ARP goes from eth0 to the upstream router. You are packet sniffing tap0. Thus tap0 will show absolutely zero outbound traffic (it cannot because there is no "client" application talking to it). Regardless, we are talking about IP here. If you have traffic reaching your interface that it not IP (and ARP is not IP), just why did the router forward it to you anyway.

    If you have a lot of nets that need to be routed this way, you can still do it. There is nothing wrong with static routes that go thru 5 systems on the way to the tap device. These can cross local LAN segments and provided there are no firewall rules that disallow it, the effect is the same.

    If your purpose is to dedicate resources to this project, then the dedicated network solutions is best. Otherwise, the virtual network solutions that use 'arp' and 'tap' devices gets you 100% of the same traffic to analyze.

    My "best" choice if you want to watch a "lot" of addresses would be to run something like LaBrea that responds to "un ARPed" packets. This could be mangled to automatically setup the interface to forward unused addresses within the current block to a tap device. I have not tried this, but it would be fun and not too hard to implement.

  9. Re:Darknets = P2P by Geek+of+Tech · · Score: 3, Interesting
    Let's read this little snippet of the article....

    [snippet]

    A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.

    A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.

    Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.

    [/snippet]

    Think this kind of scenario...

    A computer gets some form of malware on it that scans random addresses in its attempt to find vulnerable hosts. I'm going to use the name Blaster for this fictional bug...

    Now lets assume that the IP for your darknet box is aaa.bbb.ccc.ddd. If the bug randomly chooses your box (which isn't entirely unlikely) to scan, you will instantly know something is up. We're not talking "Oh no the evil **AA is after us!" (where ** is any two letters). We're talking more "Hmmm... Someone is trying to send data to an address that as far as anyone knows doesn't have any device on it." It's safe to consider a box compromised if they try to send data to an address that isn't used.

    --
    Stop the Slashdot effect! Don't read the articles!