Build A Darknet To Capture Naughty Traffic

DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."

Luke

[ralf1]

Embrace the power of the darknet.

Re:Luke

[wo1verin3]

a collection of networks and other technologies that enable people to share files with little or no fear of detection?

Naw... thats called the Internet.

(I didn't say they shouldn't be afraid, but don't seme to be)

Re:Luke

[SIGALRM]

Naw... thats called the Internet.

The term "Darknet" is cited in this sense frequently. It was first used by Patrick Ross in Nov. 2002

Thanks, though.

Build a DorkNet

[mcgroarty]

CmdrTaco has built a DorkNet to capture naughty traffic.

The comments that follow are time-stamped proof of what you were all doing during working hours...

Already been done...

[TWX]

I thought that California had the market cornered on this during the energy crisis...

Darknets = P2P

darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.
http://www.wordspy.com/words/darknet.a sp

Nothing really new here...

[Autonin]

The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.

You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.

Really . . .

[OverlordQ]

These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.

That's like the mailman trying to deliver letters to Santa Claus, or somebody addressing a letter wrong, thank good I know all those letters are Abberant now.

Re:Really . . .

[LostCluster]

The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

Snail mail just can't drop packets on the floor as easily...

Re:Really . . .

[Effugas]

Snail mail just can't drop packets on the floor as easily...

Quite the contrary; it's far easier to drop a letter on the floor. A letter has mass. ;-)

Very Interesting

[DeltaSigma]

It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

I like the idea, and wish I had the corporate status to consider an implementation at my company.

Re:Very Interesting

[Zocalo]

I like the idea, and wish I had the corporate status to consider an implementation at my company.

You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.

You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.

Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(

I want one!

[BoxOfCuriosity]

I want an IP in the darknet!

I can hear the cry of the children everywhere!

Oh yeah! and whats an IP?

The Box is Open

But then

[trialsboy]

Ok, it's a really good idea, but catching the naughty traffic isnt the hard part, what does it do witht he naughty traffic it gets, just make a pretty graph?

Analyzing the Witty worm with a massive darknet

[G4from128k]

The analysis of the Witty worm (discussed on /. here ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.

HoneyPot?

[molo]

Sounds like a standard HoneyPot, except the only machine on the nextwork segement is a packet sniffer, so the address doesn't have any real destinations.. Not a big deal. I'm sure the honeynet people have done similar.

-molo

Re:HoneyPot?

[j3ll0]

Yeah, agreed, but.....

I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

Ever played with Snort\ACID and a ruleset from somewhere like Whitehats on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)

Re:So hows this work now?

[Richard_L_James]

How do you track so called "naughty network traffic" when it goes to an IP with no services or servers?

Easy by monitoring for traffic with the evil bit set which will either be originating from hell or going there :)

Re:Very cool!

[0racle]

A sniffer will sniff all traffic on the wire for malicious activity, where as this, since there is no reason for any traffic to be directed at these addresses or routed to that subnet, you know immediately something is up.

If it seems like you've heard it before, you probably have, its similar if not the same thing to a honeypot/net.

aka blackhole networks

Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.

Darknet used as filter.

[jelwell]

An interesting use of a darknet would be to shield a real server from unwanted attacks. Have the darknet relate any internet IPs that contact the darknet to your real server to ignore.

As an example. Setup a darknet on the following IPs:
DARK_A : 204.210.34.1
DARK_B : 204.210.34.3

Setup the real server mathematically between the two darknet IP addresses:
REAL : 204.210.34.2

Now have DARK_A & DARK_B contact REAL whenever DARK_A or DARK_B receive any packets. REAL can be setup to, on the fly, filter out any packets received from the same source as the DARK servers reported.

In a sense you're creating a realtime blacklist. You can set the list on a timed delay to expire. Or even filter out specific packet signatures instead of entire suspect IP addresses.

just a thought...
Joseph Elwell

Re:Darknet used as filter.

[digitalsushi]

WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

Re:Darknet used as filter.

[jrl]

Be sure to whitelist certain "key" addresses. This is the same problem you'll run into with "active" IDS/IPS.

To paraphrase a smart person (can't remember who), when you let the bad guys write your firewall rulesets for you, bad things could happen.

When you actively block things based on preceived bad traffic, you are in essence allowing the bad person to write some rules for you.

Imagine if your attacker knew your default route and sent some spoofed packets to .1 and .3, thus killing all traffic from .2 to the net. etc, etc, etc.

Best of luck.

Re:Darknet used as filter.

[kiolbasa]

An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.

Re:Darknet used as filter.

[mhesseltine]

Tht would b ton of funn wihen Ipv^.

I see you've played this game before.

Darknet not needed

[lukewarmfusion]

I have a whole list of bookmarks for my naughty traffic.

Seriously, though... I have a spare wireless router set up at work that's easily hacked, easily found, and logs every damn thing that touches it. Our real wireless network is obscured, encrypted, mac filtered, etc. I realize it's not technically the same thing as the post describes (I guess you'd call it a honeypot network or something) but it's the same idea.

Of course, nobody will care if a hacker makes his way into our network (honeypot or not) unless he does some "damage."

Re:ARIN

[Autonin]

Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.

I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.

Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.

I don't get the complexity

[DDumitru]

The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.

For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.

Some example numbers (none of which are real)

Unused address to watch: 10.11.12.13
Interface on which you receive traffic: eth0
A fake interface to route to: tap0

Configure your server to ARP the extra addresses:

arp -Ds 10.11.12.13 eth0 -i eth0 pub

Setup a "tap" device to route the traffic to

tunctl -u nobody -t tap0
ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up

Setup a "route" to the device

ip route add 10.11.12.13 dev tap0

At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.

For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.

This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.

Have fun.

AKA Network Telescopes

[BSDevil]

These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here).

Also, see the NANOG guide to setting them up here, and the home for the CAIDA/UCSD telescope here.

So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

Re:ARIN

[digitalsushi]

ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.

And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.

IPv6

[sploxx]

Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...

Re:Santa has an address

Yeah, great. Now everyone will write!

"OMG! They slashdotted Santa!"
"Those bastards!"

Re:So hows this work now?

[Flower]

My question is what do you do to naughty network traffic? Do you scold it, give it a time out or do you tie it up and make it your slave?

Re:ARIN

[pyrrhonist]

one word: SSL sites

$ echo "SSL sites" | wc -w
2

WTF?

Actually, we have had these for about that long...

[Lux]

Down at SDSC they have a little less than 1% of ALL of the routable IP space dedicated to doing this stuff. They call it a network telescope, and use it to study DOS activity and stuff.

http://www.caida.org/analysis/security/telescope /

"Inferring Internet Denial-of-Service Activity" [2001] is good reading.

Darknet, invite naughty traffic on your net today!

[pgnas]

I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort, ACID (Analysis Console for Intrusion Databases

As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

Combined with the other tools, we have been using Honeyd , an excellent honeypot, simple to get up an going and very configurable.

Snort.org has an excellent howto documentation to get the IDS up an going, then you can add the honeypot.

It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea.

If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.