Build A Darknet To Capture Naughty Traffic

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

Luke

[ralf1]

Embrace the power of the darknet.

Re:Luke

[SIGALRM]

Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes.

Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

Re:Luke

[wo1verin3]

a collection of networks and other technologies that enable people to share files with little or no fear of detection?

Naw... thats called the Internet.

(I didn't say they shouldn't be afraid, but don't seme to be)

Re:Luke

[SIGALRM]

Naw... thats called the Internet.

The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002

Thanks, though.

Build a DorkNet

[mcgroarty]

CmdrTaco has built a DorkNet to capture naughty traffic.

The comments that follow are time-stamped proof of what you were all doing during working hours...

Already been done...

[TWX]

I thought that California had the market cornered on this during the energy crisis...

Darknets = P2P

darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.
http://www.wordspy.com/words/darknet.a sp

Re:Darknets = P2P

[Lehk228]

actually a darknet would be a peer to peer group where the users know most if not all other members, such as a Dormitory floor setting up FTP servers and giving accounts to everyone on the floor (not that i have any involvement in that sort of activity)

You sound like my roommate, anything He hasn't heard of isn't legitimate or good enough, which is funny since he won't even accept as valid terms that are listed in the Jargon File)

Re:Darknets = P2P

[0x0d0a]

Like, by wanker pundits who desperately want to be the ones to coin a new phrase.

Nicely put, though it applies to half of the tech journalist types out there.

Re:Darknets = P2P

[Geek+of+Tech]

Let's read this little snippet of the article....

[snippet]

A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.

A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.

Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.

[/snippet]

Think this kind of scenario...

A computer gets some form of malware on it that scans random addresses in its attempt to find vulnerable hosts. I'm going to use the name Blaster for this fictional bug...

Now lets assume that the IP for your darknet box is aaa.bbb.ccc.ddd. If the bug randomly chooses your box (which isn't entirely unlikely) to scan, you will instantly know something is up. We're not talking "Oh no the evil **AA is after us!" (where ** is any two letters). We're talking more "Hmmm... Someone is trying to send data to an address that as far as anyone knows doesn't have any device on it." It's safe to consider a box compromised if they try to send data to an address that isn't used.

Nothing really new here...

[Autonin]

The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.

You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.

Really . . .

[OverlordQ]

These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.

That's like the mailman trying to deliver letters to Santa Claus, or somebody addressing a letter wrong, thank good I know all those letters are Abberant now.

Re:Really . . .

[LostCluster]

The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

Snail mail just can't drop packets on the floor as easily...

Re:Really . . .

[drinkypoo]

Snail mail can easily have dropped packets - you (or your mail carrier) can miss the mailbox.

Not only that, but I'm betting a dramatically higher percentage of snailmail packets are misdelivered than IP packets. I am constantly getting mail for my neighbors in unit A in my mailbox, unit B. One wonders if it's my mail carrier or the mail sorters. It's not that they're getting the mailboxes confused, because I get my mail in there at the same time, it's an issue with sorting.

Re:Really . . .

[Effugas]

Snail mail just can't drop packets on the floor as easily...

Quite the contrary; it's far easier to drop a letter on the floor. A letter has mass. ;-)

Very Interesting

[DeltaSigma]

It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

I like the idea, and wish I had the corporate status to consider an implementation at my company.

Re:Very Interesting

[Zocalo]

I like the idea, and wish I had the corporate status to consider an implementation at my company.

You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.

You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.

Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(

Re:Very Interesting

[Zocalo]

I have a Draytek Vigor 2600 series DSL router and use the the onboard firewall (I think it's IPF) to actually redirect the traffic onto the LAN with the bogus MAC. The traffic is then directed to a dedicated port and VLAN on my Cisco switch via the IOS config, keeping aberrant traffic as far away from other traffic as I can. The only other device on the VLAN is my old Toshiba which is, by default running IP less.

The Tecra is currently running Fedora Core 1 with IPTables enabled and a bunch of IDS and traffic capture tools installed. Finally, I have modified numerous scripts to seamlessly enable and disable IP on the box if I want to run the Honeypot or anything else that requires a real IP address - I have enough IPs that I don't need to bother with NAT. There is also some basic checking in place to make sure if I run two scripts that would bring up the IP interface then shut the first down, it doesn't bring down the IP interface with it.

I want one!

[BoxOfCuriosity]

I want an IP in the darknet!

I can hear the cry of the children everywhere!

Oh yeah! and whats an IP?

The Box is Open

But then

[trialsboy]

Ok, it's a really good idea, but catching the naughty traffic isnt the hard part, what does it do witht he naughty traffic it gets, just make a pretty graph?

Analyzing the Witty worm with a massive darknet

[G4from128k]

The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.

Re:Analyzing the Witty worm with a massive darknet

[br0ck]

I believe you meant this for your first link.

HoneyPot?

[molo]

Sounds like a standard HoneyPot, except the only machine on the nextwork segement is a packet sniffer, so the address doesn't have any real destinations.. Not a big deal. I'm sure the honeynet people have done similar.

-molo

Re:HoneyPot?

[j3ll0]

Yeah, agreed, but.....

I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)

Re:So hows this work now?

[Richard_L_James]

How do you track so called "naughty network traffic" when it goes to an IP with no services or servers?

Easy by monitoring for traffic with the evil bit set which will either be originating from hell or going there :)

Re:Very cool!

[0racle]

A sniffer will sniff all traffic on the wire for malicious activity, where as this, since there is no reason for any traffic to be directed at these addresses or routed to that subnet, you know immediately something is up.

If it seems like you've heard it before, you probably have, its similar if not the same thing to a honeypot/net.

Re:like anyone here as a /32 ip block

[sl0ppy]

a /32 block is a single machine.

aka blackhole networks

Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.

Darknet used as filter.

[jelwell]

An interesting use of a darknet would be to shield a real server from unwanted attacks. Have the darknet relate any internet IPs that contact the darknet to your real server to ignore.

As an example. Setup a darknet on the following IPs:
DARK_A : 204.210.34.1
DARK_B : 204.210.34.3

Setup the real server mathematically between the two darknet IP addresses:
REAL : 204.210.34.2

Now have DARK_A & DARK_B contact REAL whenever DARK_A or DARK_B receive any packets. REAL can be setup to, on the fly, filter out any packets received from the same source as the DARK servers reported.

In a sense you're creating a realtime blacklist. You can set the list on a timed delay to expire. Or even filter out specific packet signatures instead of entire suspect IP addresses.

just a thought...
Joseph Elwell

Re:Darknet used as filter.

[digitalsushi]

WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

Re:Darknet used as filter.

[jrl]

Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.

To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.

When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.

Imagine if your attacker knew your default route and sent some spoofed packets to .1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.

Best of luck.

Re:Darknet used as filter.

[kiolbasa]

An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.

Re:Darknet used as filter.

[mhesseltine]

Tht would b ton of funn wihen Ipv^.

I see you've played this game before.

Darknet not needed

[lukewarmfusion]

I have a whole list of bookmarks for my naughty traffic.

Seriously, though... I have a spare wireless router set up at work that's easily hacked, easily found, and logs every damn thing that touches it. Our real wireless network is obscured, encrypted, mac filtered, etc. I realize it's not technically the same thing as the post describes (I guess you'd call it a honeypot network or something) but it's the same idea.

Of course, nobody will care if a hacker makes his way into our network (honeypot or not) unless he does some "damage."

Re:like anyone here as a /32 ip block

[ErichTheWebGuy]

like anyone here as a /32 ip block

Maybe you should have learned networking before posting that. You have a /32 block, I do, and so does everyone else here. A /32 block is a single ip address. People with DSL connections, who get more than 1 ip allocated, are perfect candadites. I can even get additional ip's from my cable company, on request, for no additional charge (at least that was the case about a year ago, I heard they charge like 3 bucks a month now).

Re:ARIN

[Autonin]

Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.

I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.

Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.

HoneyPots

[xplosiv]

What's the difference between a darknet and a honeypot/net setup? Both seem to have the same goals, and both use some IP space to detect potential attacks.

Re:HoneyPots

honeypots emulate a "real" machine. they provide "real" services and have "real" filesystem, etc. these are designed to analyze human activity (cracking methods and tools).

darknet seems to be logging traffic to the undefined addresses instead of dropping packets on the floor or sending icmp error responses. darknets don't appear to actually respond to traffic (analyzing worms / automated tools, no intelligence behind them).

I would have thought...

[syousef]

...there are easier ways of finding Pr0n aren't there? Like opening up your spam folder :-)

I don't get the complexity

[DDumitru]

The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.

For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.

Some example numbers (none of which are real)

Unused address to watch: 10.11.12.13
Interface on which you receive traffic: eth0
A fake interface to route to: tap0

Configure your server to ARP the extra addresses:

arp -Ds 10.11.12.13 eth0 -i eth0 pub

Setup a "tap" device to route the traffic to

tunctl -u nobody -t tap0
ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up

Setup a "route" to the device

ip route add 10.11.12.13 dev tap0

At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.

For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.

This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.

Have fun.

Re:I don't get the complexity

[DDumitru]

You are correct if you are going to route "big chunks" of address space. On the other hand, most of us (at least those with some colo machines at our disposal) don't have spare /24s laying around [and if you do you should give them back to ARIN]. Also, it is arguably better to watch 256 "random" addresses than 256 in a row, so watching a bunch of small blocks is actually better than grabbing a big contiguous block.

A couple of other points here. ARP does not actually create any extra traffic on the interface that is being watched. In this example, the ARP goes from eth0 to the upstream router. You are packet sniffing tap0. Thus tap0 will show absolutely zero outbound traffic (it cannot because there is no "client" application talking to it). Regardless, we are talking about IP here. If you have traffic reaching your interface that it not IP (and ARP is not IP), just why did the router forward it to you anyway.

If you have a lot of nets that need to be routed this way, you can still do it. There is nothing wrong with static routes that go thru 5 systems on the way to the tap device. These can cross local LAN segments and provided there are no firewall rules that disallow it, the effect is the same.

If your purpose is to dedicate resources to this project, then the dedicated network solutions is best. Otherwise, the virtual network solutions that use 'arp' and 'tap' devices gets you 100% of the same traffic to analyze.

My "best" choice if you want to watch a "lot" of addresses would be to run something like LaBrea that responds to "un ARPed" packets. This could be mangled to automatically setup the interface to forward unused addresses within the current block to a tap device. I have not tried this, but it would be fun and not too hard to implement.

AKA Network Telescopes

[BSDevil]

These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).

Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.

So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

Hey loser...I've got a /8 block

Well, yes it's 10.0.0.0
but I control it...and that's what's important.
Ok, well...yes, I only control it on my side of the router...
sniff...nevermind

Re:ARIN

[digitalsushi]

ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.

And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.

IPv6

[sploxx]

Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...

Re:IPv6

[glwtta]

I am guessing that the kind of "naughty" traffic this is designed to mintor will also be made obsolete by IPv6's massive address space.

Seems the purpose is to monitor IP scanning activity - something wholly impractical with IPv6.

Santa has an address

[brunes69]

Santa Claus
North Pole, Canada
H0H 0H0

If you write Santa at this address, he will write back. Not 100% sure USPS will send it over the border, but if they do, it'll work.

( Canada Post sends out replies to children each year; I think employees at the post office volunteer and take the time to hand-craft a personal reply to each and every letter, though they may be auto-generated nowadays, i am not certain ).

Re:Santa has an address

Yeah, great. Now everyone will write!

"OMG! They slashdotted Santa!"
"Those bastards!"

Re:So hows this work now?

[Flower]

My question is what do you do to naughty network traffic? Do you scold it, give it a time out or do you tie it up and make it your slave?

Re:ARIN

[pyrrhonist]

one word: SSL sites

$ echo "SSL sites" | wc -w
2

WTF?

Actually, we have had these for about that long...

[Lux]

Down at SDSC they have a little less than 1% of ALL of the routable IP space dedicated to doing this stuff. They call it a network telescope, and use it to study DOS activity and stuff.

http://www.caida.org/analysis/security/telescope /

"Inferring Internet Denial-of-Service Activity" [2001] is good reading.

Darknet, invite naughty traffic on your net today!

[pgnas]

I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.

Re:So hows this work now?

[hearingaid]

ipf or ipfw, on a BSD system.

The equivalents in Linux would be ipchains and iptables, I do believe. (My firewall's FreeBSD, never touched any Linux firewall rules.)

These tools allow you to log raw packets. Handy.

And then what?

[cyclist1200]

Slap it on the nose with a newspaper and say, "Bad! Bad packet!"?