Slashdot Mirror

← Back to Stories (view on slashdot.org)

Build A Darknet To Capture Naughty Traffic

Posted by timothy on from the then-bend-it-to-your-evil-will dept.

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

85 of 266 comments (clear)

  1. Luke by ralf1 · · Score: 5, Funny

    Embrace the power of the darknet.

    --
    "Would you, could you, with a goat?" Dr Seuss
    1. Re:Luke by SIGALRM · · Score: 3, Interesting

      Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes.

      Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

      --
      Sigs cause cancer.
    2. Re:Luke by wo1verin3 · · Score: 5, Funny

      a collection of networks and other technologies that enable people to share files with little or no fear of detection?

      Naw... thats called the Internet.

      (I didn't say they shouldn't be afraid, but don't seme to be)

    3. Re:Luke by SIGALRM · · Score: 5, Informative

      Naw... thats called the Internet.

      The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002

      Thanks, though.

      --
      Sigs cause cancer.
    4. Re:Luke by MillionthMonkey · · Score: 2, Informative

      Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

      Yes, that's a usage I've seen too, for example in this article in Slate.

    5. Re:Luke by anakin357 · · Score: 2, Funny

      Somehow all this Darknet business reminds me of

      --
      http://www.fsckin.com/
  2. Build a DorkNet by mcgroarty · · Score: 5, Funny
    CmdrTaco has built a DorkNet to capture naughty traffic.

    The comments that follow are time-stamped proof of what you were all doing during working hours...

  3. Already been done... by TWX · · Score: 5, Funny

    I thought that California had the market cornered on this during the energy crisis...

    --
    Do not look into laser with remaining eye.
    1. Re:Already been done... by wo1verin3 · · Score: 2, Funny

      hey leave us alone, the fault was traced back to Ohio. You may have to subpeona Ontario as a witness, but Ohio is the one you should be suing.

      I'm getting tired of being accused of having derivative code for every blackout we spawn however. We have not used any of SCOs code in development of our own blackouts.

    2. Re:Already been done... by tokachu(k) · · Score: 2, Funny

      Yes, Mr. Honeypot called, and he wants his product back.

  4. Darknets = P2P by Anonymous Coward · · Score: 5, Informative

    darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.
    http://www.wordspy.com/words/darknet.a sp

    1. Re:Darknets = P2P by drinkypoo · · Score: 2, Insightful
      I've never heard this term and I've been using p2p as long as anybody. A few industry pundits using it doesn't make it a real live term. Frankly I think that both of these uses of the "word" are lame, but calling p2p the darknet is a lot more lame than using the term to refer to a network intended to have no legitimate traffic.

      With all that said, honeynet would seem be a more sensible term for a network like this. It's even sticky, which means people will be getting caught in it more readily, which is precisely what you're going for.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Darknets = P2P by Lehk228 · · Score: 3, Insightful

      actually a darknet would be a peer to peer group where the users know most if not all other members, such as a Dormitory floor setting up FTP servers and giving accounts to everyone on the floor (not that i have any involvement in that sort of activity)

      You sound like my roommate, anything He hasn't heard of isn't legitimate or good enough, which is funny since he won't even accept as valid terms that are listed in the Jargon File)

      --
      Snowden and Manning are heroes.
    3. Re:Darknets = P2P by drinkypoo · · Score: 2, Interesting
      It's well known that I am a nitpicker, but if a darknet is supposed to apply to P2P, then FTP doesn't count because it's client-server :) The whole idea of such a term is absurd. We already have a name for peer to peer, it's P2P. A private P2P network is just that, private P2P. A private FTP is also simply a private FTP. Why make this harder than it has to be?

      My not having heard of it doesn't make it "not good enough", there are plenty of more logical reasons for that. My not having heard of it is enough argument (to me) that it's nothing like a standard term, it's just something that one or two people have pulled out of their ass and it hasn't caught on for one reason or another. This would not apply if it were some field or subject I was unfamiliar with, but as I am not unfamiliar with P2P, but have never heard/read the term "darknet" I can only assume that it is a term in extremely limited use. Like, by wanker pundits who desperately want to be the ones to coin a new phrase.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Darknets = P2P by 0x0d0a · · Score: 3, Funny

      Like, by wanker pundits who desperately want to be the ones to coin a new phrase.

      Nicely put, though it applies to half of the tech journalist types out there.

      --
      May we never see th
    5. Re:Darknets = P2P by Geek+of+Tech · · Score: 3, Interesting
      Let's read this little snippet of the article....

      [snippet]

      A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.

      A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.

      Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.

      [/snippet]

      Think this kind of scenario...

      A computer gets some form of malware on it that scans random addresses in its attempt to find vulnerable hosts. I'm going to use the name Blaster for this fictional bug...

      Now lets assume that the IP for your darknet box is aaa.bbb.ccc.ddd. If the bug randomly chooses your box (which isn't entirely unlikely) to scan, you will instantly know something is up. We're not talking "Oh no the evil **AA is after us!" (where ** is any two letters). We're talking more "Hmmm... Someone is trying to send data to an address that as far as anyone knows doesn't have any device on it." It's safe to consider a box compromised if they try to send data to an address that isn't used.

      --
      Stop the Slashdot effect! Don't read the articles!
    6. Re:Darknets = P2P by analog_line · · Score: 2, Informative

      "Honeypots" are usually called such because they're set up to look like an easy mark for a hacker. Fake services, wide open holes, etc, and all the while logging every blessed thing that happens on the machine.

      "Darknets" at least as described here, are not set up to be juicy targets. Technically they shouldn't be targets in the least. They are to all appearances dead IP addresses, hence calling them "dark." This method doesn't catch the perpetrator in the act. Most of what it does is watch for IPs that are doing wide scans, like many of the recent self-replicating worms/virii. In other words, there's no honey for anyone to go after. It's more the equivalent of hiding a camera in the middle of a forest where no one ought to be and see who's walking around.

  5. So hows this work now? by Kenja · · Score: 2, Interesting

    How do you track so called "naughty network traffic" when it goes to an IP with no services or servers? I guess you could do this with somthing along the lines of a "border" firewall (rather then a NAT system). But few of us have such a setup.

    --

    "Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
    1. Re:So hows this work now? by Richard_L_James · · Score: 5, Funny
      How do you track so called "naughty network traffic" when it goes to an IP with no services or servers?

      Easy by monitoring for traffic with the evil bit set which will either be originating from hell or going there :)

    2. Re:So hows this work now? by MikeJ9919 · · Score: 2, Informative

      No active services or servers. Key word: active. Passive monitoring would seem to be the rule.

    3. Re:So hows this work now? by Flower · · Score: 4, Funny

      My question is what do you do to naughty network traffic? Do you scold it, give it a time out or do you tie it up and make it your slave?

      --
      I don't want knowledge. I want certainty. - Law, David Bowie
    4. Re:So hows this work now? by hearingaid · · Score: 3, Informative
      ipf or ipfw, on a BSD system.

      The equivalents in Linux would be ipchains and iptables, I do believe. (My firewall's FreeBSD, never touched any Linux firewall rules.)

      These tools allow you to log raw packets. Handy.

      --

      my old sig used to be funny, but then slashcode ate it and now it's not funny anymore

  6. Use this for... by chrispyman · · Score: 2, Informative

    It would seem like a good idea to use the info collected by the Darknet to perhaps automatically blacklist those offending IP addresses or perhaps to automatically complain to the offending ISP.

  7. Nothing really new here... by Autonin · · Score: 5, Informative

    The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.

    You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.

    --
    -AutoNiN
    1. Re:Nothing really new here... by scottv67 · · Score: 2, Interesting

      I was going to mention the Netscreen IDP but you beat me to the punch. I had an IDP that protected 141.106.0.0/16. I had the Honeypot feature enabled so that if you scanned certain addresses, the IDP would blacklist your source address for 30 minutes. It worked *very* well for shunning lazy portscanning kiddies.

      The IDP is a very impressive piece of technology. A very good complement to a Layer 3 firewall.

      -Scott

  8. Really . . . by OverlordQ · · Score: 4, Insightful

    These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.

    That's like the mailman trying to deliver letters to Santa Claus, or somebody addressing a letter wrong, thank good I know all those letters are Abberant now.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Really . . . by techno-vampire · · Score: 2, Informative

      Abberant doesn't have to mean malicious. It just means that they're someplace they don't belong. If you misaddress a letter, or misdial a phone number, the result is abberant because you end up somewhere you don't belong.

      --
      Good, inexpensive web hosting
    2. Re:Really . . . by LostCluster · · Score: 5, Interesting

      The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

      These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

      Snail mail just can't drop packets on the floor as easily...

    3. Re:Really . . . by drinkypoo · · Score: 3, Insightful
      Snail mail can easily have dropped packets - you (or your mail carrier) can miss the mailbox.

      Not only that, but I'm betting a dramatically higher percentage of snailmail packets are misdelivered than IP packets. I am constantly getting mail for my neighbors in unit A in my mailbox, unit B. One wonders if it's my mail carrier or the mail sorters. It's not that they're getting the mailboxes confused, because I get my mail in there at the same time, it's an issue with sorting.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:Really . . . by Effugas · · Score: 4, Insightful

      Snail mail just can't drop packets on the floor as easily...

      Quite the contrary; it's far easier to drop a letter on the floor. A letter has mass. ;-)

    5. Re:Really . . . by mlk · · Score: 2, Insightful

      Snail mail just can't drop packets on the floor as easily...

      You don't live in the UK do you?
      --
      Wow, I should not post when knackered.
  9. Very Interesting by DeltaSigma · · Score: 4, Interesting

    It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

    I like the idea, and wish I had the corporate status to consider an implementation at my company.

    1. Re:Very Interesting by mikael · · Score: 2

      Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

      Going by the junk mail I receive in my domain site, you don't even need a valid E-mail address. The spammers just create a @yourdomain.com address and take their chances with a catch all E-mail address.

      --
      Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
    2. Re:Very Interesting by Zocalo · · Score: 5, Interesting
      I like the idea, and wish I had the corporate status to consider an implementation at my company.

      You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.

      You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.

      Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(

      --
      UNIX? They're not even circumcised! Savages!
    3. Re:Very Interesting by Zocalo · · Score: 3, Informative
      I have a Draytek Vigor 2600 series DSL router and use the the onboard firewall (I think it's IPF) to actually redirect the traffic onto the LAN with the bogus MAC. The traffic is then directed to a dedicated port and VLAN on my Cisco switch via the IOS config, keeping aberrant traffic as far away from other traffic as I can. The only other device on the VLAN is my old Toshiba which is, by default running IP less.

      The Tecra is currently running Fedora Core 1 with IPTables enabled and a bunch of IDS and traffic capture tools installed. Finally, I have modified numerous scripts to seamlessly enable and disable IP on the box if I want to run the Honeypot or anything else that requires a real IP address - I have enough IPs that I don't need to bother with NAT. There is also some basic checking in place to make sure if I run two scripts that would bring up the IP interface then shut the first down, it doesn't bring down the IP interface with it.

      --
      UNIX? They're not even circumcised! Savages!
  10. I want one! by BoxOfCuriosity · · Score: 4, Funny

    I want an IP in the darknet!

    I can hear the cry of the children everywhere!

    Oh yeah! and whats an IP?

    The Box is Open

  11. But then by trialsboy · · Score: 5, Insightful

    Ok, it's a really good idea, but catching the naughty traffic isnt the hard part, what does it do witht he naughty traffic it gets, just make a pretty graph?

    --

    "Pushing little children, with their fully automatics, they like to push the weak around"
    1. Re:But then by drinkypoo · · Score: 2, Interesting

      How about logging it and initiating some security rules with it? It should be simple enough to write a little daemon which will watch for log messages and institute temporary (or not temporary) firewall rules to block traffic from those hosts. The nature of the block (temporary or non) can be contingent on the type of traffic. Illegitimate connections on ports known to be used for undesirable activity would be grounds for a longer block than, say, a connection to port 80 on an IP address adjacent to a legitimate webserver. (People do mistype addresses occasionally and there are legitimate reasons to access hosts by IP, like when name resolution is broken and you need to get a file onto the machine to fix it.)

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  12. Re:Slashdot "punishment" problem by mcgroarty · · Score: 2, Insightful
    but don't punish people for being funny!

    I have read thousands of Slash posts, and I promise you that being funny has never been a problem.

    Seriously. I've read Dilbert and User Friendly, and what passes for +1 Funny with you folks isn't. It's complaining with community tech jargon thrown in, or it's complaining, or it's misuse of community jargon by outsiders.

    I'm not the only one who's made this observation. You guys need a serious humor overhaul. Look to some humor sources from better-adjusted people to fully understand your problem.

    LOL, I hate Monday too, John Arbuckle. Let's see what ole Marmaduke's up to.

  13. Analyzing the Witty worm with a massive darknet by G4from128k · · Score: 4, Informative

    The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.

    --
    Two wrongs don't make a right, but three lefts do.
    1. Re:Analyzing the Witty worm with a massive darknet by br0ck · · Score: 3, Informative

      I believe you meant this for your first link.

  14. ARIN by EdMcMan · · Score: 2, Funny

    Somehow I doubt ARIN and IANA will like this.

    1. Re:ARIN by Autonin · · Score: 5, Informative

      Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.

      I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.

      Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.

      --
      -AutoNiN
    2. Re:ARIN by digitalsushi · · Score: 4, Informative

      ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.

      And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    3. Re:ARIN by pyrrhonist · · Score: 4, Funny
      one word: SSL sites
      $ echo "SSL sites" | wc -w
      2
      WTF?
      --
      Show me on the doll where his noodly appendage touched you.
  15. HoneyPot? by molo · · Score: 4, Insightful

    Sounds like a standard HoneyPot, except the only machine on the nextwork segement is a packet sniffer, so the address doesn't have any real destinations.. Not a big deal. I'm sure the honeynet people have done similar.

    -molo

    --
    Using your sig line to advertise for friends is lame.
    1. Re:HoneyPot? by j3ll0 · · Score: 5, Interesting


      Yeah, agreed, but.....

      I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

      A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

      Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

      I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)

  16. Re:Very cool! by 0racle · · Score: 4, Informative

    A sniffer will sniff all traffic on the wire for malicious activity, where as this, since there is no reason for any traffic to be directed at these addresses or routed to that subnet, you know immediately something is up.

    If it seems like you've heard it before, you probably have, its similar if not the same thing to a honeypot/net.

    --
    "I use a Mac because I'm just better than you are."
  17. Re:like anyone here as a /32 ip block by sl0ppy · · Score: 3, Funny

    a /32 block is a single machine.

  18. aka blackhole networks by Anonymous Coward · · Score: 5, Informative

    Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.

  19. Darknet used as filter. by jelwell · · Score: 5, Insightful

    An interesting use of a darknet would be to shield a real server from unwanted attacks. Have the darknet relate any internet IPs that contact the darknet to your real server to ignore.

    As an example. Setup a darknet on the following IPs:
    DARK_A : 204.210.34.1
    DARK_B : 204.210.34.3

    Setup the real server mathematically between the two darknet IP addresses:
    REAL : 204.210.34.2

    Now have DARK_A & DARK_B contact REAL whenever DARK_A or DARK_B receive any packets. REAL can be setup to, on the fly, filter out any packets received from the same source as the DARK servers reported.

    In a sense you're creating a realtime blacklist. You can set the list on a timed delay to expire. Or even filter out specific packet signatures instead of entire suspect IP addresses.

    just a thought...
    Joseph Elwell

    1. Re:Darknet used as filter. by digitalsushi · · Score: 4, Interesting

      WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

      --
      slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
    2. Re:Darknet used as filter. by jrl · · Score: 5, Informative

      Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.

      To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.

      When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.

      Imagine if your attacker knew your default route and sent some spoofed packets to .1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.

      Best of luck.

    3. Re:Darknet used as filter. by kiolbasa · · Score: 5, Informative

      An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.

      --

      Beer wants to be free
    4. Re:Darknet used as filter. by syknes · · Score: 2, Insightful

      Very clever. So I send a bunch of packets to DARK_A and DARK_B with forged sender headers so that REAL starts blocking legitimate traffic from the senders I faked.
      Realtime blacklists are lovely tools for denial-of-service attacks. Probably why you don't see more of them out there.

    5. Re:Darknet used as filter. by Rosonowski · · Score: 2, Insightful

      Heh, but most netsurfing is by DNS. When's the last time you visited a website, drunk, by IP address instead of DNS alias?

      --
      01101001 01100001 01101101 01101110 01101111 01110100 01100001 01101100 01100001 01110111 01111001 01100101 01110010
    6. Re:Darknet used as filter. by mhesseltine · · Score: 2, Funny
      Heh, but most netsurfing is by DNS. When's the last time you visited a website, drunk, by IP address instead of DNS alias?

      That actually sounds like a good geek drinking game.

      • Player A gives player B a website (www.yahoo.com, for example)
      • Player B must navigate to that website, by IP address, within X number of attempts.
      • If successful, player A takes a drink. If not, player B takes a drink
      • Player B then gives the address to the next player until one person is left standing.
      --
      Overrated / Underrated : Moderation :: Anonymous Coward : Posting
    7. Re:Darknet used as filter. by mhesseltine · · Score: 4, Funny
      Tht would b ton of funn wihen Ipv^.

      I see you've played this game before.

      --
      Overrated / Underrated : Moderation :: Anonymous Coward : Posting
  20. Darknet not needed by lukewarmfusion · · Score: 4, Insightful

    I have a whole list of bookmarks for my naughty traffic.

    Seriously, though... I have a spare wireless router set up at work that's easily hacked, easily found, and logs every damn thing that touches it. Our real wireless network is obscured, encrypted, mac filtered, etc. I realize it's not technically the same thing as the post describes (I guess you'd call it a honeypot network or something) but it's the same idea.

    Of course, nobody will care if a hacker makes his way into our network (honeypot or not) unless he does some "damage."

    1. Re:Darknet not needed by hearingaid · · Score: 2, Informative
      That's not a honeypot. It's not really either a darknet. It does have elements in common with both, though - a decoy network?

      A honeypot is a server that appears to be riddled with security holes. What you have isn't a server, so not a honeypot.

      A darknet is an IP-addressable network that appears to be not in use. What you have isn't IP-addressable, so not a darknet. We need a new phrase :)

      --

      my old sig used to be funny, but then slashcode ate it and now it's not funny anymore

  21. Re:like anyone here as a /32 ip block by ErichTheWebGuy · · Score: 3, Informative

    like anyone here as a /32 ip block

    Maybe you should have learned networking before posting that. You have a /32 block, I do, and so does everyone else here. A /32 block is a single ip address. People with DSL connections, who get more than 1 ip allocated, are perfect candadites. I can even get additional ip's from my cable company, on request, for no additional charge (at least that was the case about a year ago, I heard they charge like 3 bucks a month now).

    --
    bash: rtfm: command not found
  22. HoneyPots by xplosiv · · Score: 3, Interesting

    What's the difference between a darknet and a honeypot/net setup? Both seem to have the same goals, and both use some IP space to detect potential attacks.

    1. Re:HoneyPots by Anonymous Coward · · Score: 3, Informative

      honeypots emulate a "real" machine. they provide "real" services and have "real" filesystem, etc. these are designed to analyze human activity (cracking methods and tools).

      darknet seems to be logging traffic to the undefined addresses instead of dropping packets on the floor or sending icmp error responses. darknets don't appear to actually respond to traffic (analyzing worms / automated tools, no intelligence behind them).

  23. I would have thought... by syousef · · Score: 3, Funny

    ...there are easier ways of finding Pr0n aren't there? Like opening up your spam folder :-)

    --
    These posts express my own personal views, not those of my employer
  24. I don't get the complexity by DDumitru · · Score: 4, Informative

    The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.

    For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.

    Some example numbers (none of which are real)

    Unused address to watch: 10.11.12.13
    Interface on which you receive traffic: eth0
    A fake interface to route to: tap0

    Configure your server to ARP the extra addresses:

    arp -Ds 10.11.12.13 eth0 -i eth0 pub

    Setup a "tap" device to route the traffic to

    tunctl -u nobody -t tap0
    ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up

    Setup a "route" to the device

    ip route add 10.11.12.13 dev tap0

    At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.

    For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.

    This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.

    Have fun.

    1. Re:I don't get the complexity by Anonymous Coward · · Score: 2, Informative

      Your idea of binding addresses through arp works almost as well, but it is not the same. Once you bind an address through arp, the interface will respond to arp requests. This goes against the author's idea of having absolutely no outbound on the sniffing interface. You can probably get along without it, but it's nice to be able to put up firewall rules that block all outbound and inbound traffic of all types on the sniffer interface, so that you know that anything you collect is genuine Bad Data.

      Also, the approach of using an external router helps in that it allows you to direct packets from all over the place to your darknet machine. If you use arp, that will only direct traffic for IP addresses that are already routed to the network. So, if you route based on x.x.x.x/24 networks as it is and you want a darknet that captures data from outside one x.x.x.x/24 network, then you'll need to make changes on the router *anyway*. Sooner or later, it just becomes cleaner and simpler to dedicate a router to the purpose or at least make some changes on the router.

    2. Re:I don't get the complexity by DDumitru · · Score: 3, Interesting

      You are correct if you are going to route "big chunks" of address space. On the other hand, most of us (at least those with some colo machines at our disposal) don't have spare /24s laying around [and if you do you should give them back to ARIN]. Also, it is arguably better to watch 256 "random" addresses than 256 in a row, so watching a bunch of small blocks is actually better than grabbing a big contiguous block.

      A couple of other points here. ARP does not actually create any extra traffic on the interface that is being watched. In this example, the ARP goes from eth0 to the upstream router. You are packet sniffing tap0. Thus tap0 will show absolutely zero outbound traffic (it cannot because there is no "client" application talking to it). Regardless, we are talking about IP here. If you have traffic reaching your interface that it not IP (and ARP is not IP), just why did the router forward it to you anyway.

      If you have a lot of nets that need to be routed this way, you can still do it. There is nothing wrong with static routes that go thru 5 systems on the way to the tap device. These can cross local LAN segments and provided there are no firewall rules that disallow it, the effect is the same.

      If your purpose is to dedicate resources to this project, then the dedicated network solutions is best. Otherwise, the virtual network solutions that use 'arp' and 'tap' devices gets you 100% of the same traffic to analyze.

      My "best" choice if you want to watch a "lot" of addresses would be to run something like LaBrea that responds to "un ARPed" packets. This could be mangled to automatically setup the interface to forward unused addresses within the current block to a tap device. I have not tried this, but it would be fun and not too hard to implement.

  25. AKA Network Telescopes by BSDevil · · Score: 5, Informative

    These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).

    Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.

    So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

    --
    Cue The Sun...
  26. Hey loser...I've got a /8 block by Anonymous Coward · · Score: 3, Funny

    Well, yes it's 10.0.0.0
    but I control it...and that's what's important.
    Ok, well...yes, I only control it on my side of the router...
    sniff...nevermind

  27. Re:Am I the only one by 88NoSoup4U88 · · Score: 2, Informative
    Yes, because finding the stuff i want on the second site you referred to is much easier.

    Waitaminute !

  28. IPv6 by sploxx · · Score: 4, Interesting

    Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
    This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...

    1. Re:IPv6 by glwtta · · Score: 3, Insightful
      I am guessing that the kind of "naughty" traffic this is designed to mintor will also be made obsolete by IPv6's massive address space.

      Seems the purpose is to monitor IP scanning activity - something wholly impractical with IPv6.

      --
      sic transit gloria mundi
    2. Re:IPv6 by Nasarius · · Score: 2, Interesting
      something wholly impractical with IPv6

      Brute force scanning, yes. But plug into the IANA/ARIN/etc databases and you can narrow it down quite a bit.

      --
      LOAD "SIG",8,1
  29. Santa has an address by brunes69 · · Score: 3, Informative

    Santa Claus
    North Pole, Canada
    H0H 0H0

    If you write Santa at this address, he will write back. Not 100% sure USPS will send it over the border, but if they do, it'll work.

    ( Canada Post sends out replies to children each year; I think employees at the post office volunteer and take the time to hand-craft a personal reply to each and every letter, though they may be auto-generated nowadays, i am not certain ).

    1. Re:Santa has an address by Anonymous Coward · · Score: 4, Funny
      Yeah, great. Now everyone will write!

      "OMG! They slashdotted Santa!"
      "Those bastards!"

  30. Actually, we have had these for about that long... by Lux · · Score: 4, Informative


    Down at SDSC they have a little less than 1% of ALL of the routable IP space dedicated to doing this stuff. They call it a network telescope, and use it to study DOS activity and stuff.

    http://www.caida.org/analysis/security/telescope /

    "Inferring Internet Denial-of-Service Activity" [2001] is good reading.

  31. Darknet, invite naughty traffic on your net today! by pgnas · · Score: 5, Informative

    I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

    An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

    We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

    As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

    Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

    Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

    It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

    If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.

  32. Re:like anyone here as a /32 ip block by radiophonic · · Score: 2, Funny

    I've got a /666 block. It's a devil to manage.

    --
    Whenever you read this sig someone's refrigerator light turns on.
  33. Re:Am I the only one by negaPLuCK · · Score: 2, Insightful

    "upto date design" is for marketeers. Simplicity is for conveying information. If you dont like it, don't read it.

  34. Re:Very cool! by jest3r · · Score: 2, Funny

    just another excuse for sysadmins everywhere to amass large quantities of pr0n in a short period of time ...

  35. Re:Naughty traffic ? by Anonymous Coward · · Score: 2, Funny

    We moderators do not have a sense of humor that we are aware of.

  36. Re:Slashdot "punishment" problem by Anonymous Coward · · Score: 2, Insightful

    I think we should punish people no matter what they do. It's fun!

  37. Re:screw the Darknet by REBloomfield · · Score: 2, Interesting

    Luke did not 'defeat' Vader and the darkside. He threw down his lightsaber and it was Vader who rose up and brought an end to the Sith - but not the darkside of the force. Han's daughter briefly dabbled, and Mara Jade could be considered 'dark'.

  38. And then what? by cyclist1200 · · Score: 3, Funny

    Slap it on the nose with a newspaper and say, "Bad! Bad packet!"?

  39. Another DarkNet Story by Anonymous Coward · · Score: 2, Insightful

    More than a decade ago we built a "darknet" out of several unused class A addresses which we had access at the time. This was an experiment and we coordinated with the right network operators and funding agencies to make it all right. All networks were routed to our capture network containing only a packet sniffer. We kept the network in place for a month. The result: an amazing variety of "broken packets" which one Internet guru dubbed "bogons" arived at a low but constant rate. The three class A networks allowed us to see effects across part of the network address "spectrum:" we noticed, for example, that some bogons from the same host showed up on all three networks, spreading broken packets across the address space! We traced many bogons to bad UNIX ports and could, in some cases, locate the specific porting error responsible. Big and little endian problems accounted for many. A lot of people ran these broken ports and, due to the random luck of their address assignment, the port generated orphaned bogons onto our three class A networks. and hence to our darknet. One day we captured bogons containing commands for a distributed database. We traced it to a development lab run by a large computer manufacturer who thought no one knew that they were working on a new distributed database product. We were able to discover the origin and cause of many bogons, however, in the majority of cases we could not establish the bogon's cause or its origin. Our "darknet" experience showed a constant low level chatter of bogons througout the Internet. There are no "silent" slots in the address space, unused, where no one routes traffic. Unexpected things arrive and await discovery.