Build A Darknet To Capture Naughty Traffic

← Back to Stories (view on slashdot.org)

Build A Darknet To Capture Naughty Traffic

Posted by timothy on Monday June 7, 2004 @11:23AM from the then-bend-it-to-your-evil-will dept.

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

6 of 266 comments (clear)

Min score:

Reason:

Sort:

Very Interesting by DeltaSigma · 2004-06-07 11:31 · Score: 4, Interesting

It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

I like the idea, and wish I had the corporate status to consider an implementation at my company.
1. Re:Very Interesting by Zocalo · 2004-06-07 12:22 · Score: 5, Interesting
  
  I like the idea, and wish I had the corporate status to consider an implementation at my company.
  You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.
  You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.
  Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(
  
  --
  UNIX? They're not even circumcised! Savages!
Re:Really . . . by LostCluster · 2004-06-07 11:46 · Score: 5, Interesting

The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

Snail mail just can't drop packets on the floor as easily...
Re:HoneyPot? by j3ll0 · 2004-06-07 11:59 · Score: 5, Interesting

Yeah, agreed, but.....

I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)
Re:Darknet used as filter. by digitalsushi · 2004-06-07 12:09 · Score: 4, Interesting

WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

--
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
IPv6 by sploxx · 2004-06-07 12:14 · Score: 4, Interesting

Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...