Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security The Internet

Build A Darknet To Capture Naughty Traffic 266

Posted by timothy from the then-bend-it-to-your-evil-will dept.
DM_NeoFLeX writes "Have some routable Address Space lying around? You might want to build a DarkNet. The folks over at Team Cymru have outlined instructions for creating one with FreeBSD and as little as /32 routable space. From the article: 'A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.' Darknets can provide useful information for tracking the flow of naughty network traffic."
This discussion has been archived. No new comments can be posted.

Build A Darknet To Capture Naughty Traffic More

Build A Darknet To Capture Naughty Traffic

Comments Filter:

  • Luke (Score:5, Funny)

    by ralf1 ( 718128 ) on Monday June 07, 2004 @07:25PM (#9361125)
    Embrace the power of the darknet.

    • Re:Luke (Score:3, Interesting)

      by SIGALRM ( 784769 )
      Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes.

      Doesn't the term "Darknet" also refer to a collection of networks and other technologies that enable people to share files with little or no fear of detection?

    • Re:Luke (Score:2, Funny)

      by anakin357 ( 69114 )
      Somehow all this Darknet business reminds me of <a href="http://www.zombo.com>Zombo.com</a>

  • Build a DorkNet (Score:5, Funny)

    by mcgroarty ( 633843 ) <brian@mcgroarty.gmail@com> on Monday June 07, 2004 @07:25PM (#9361127) Homepage
    CmdrTaco has built a DorkNet to capture naughty traffic.

    The comments that follow are time-stamped proof of what you were all doing during working hours...

  • Already been done... (Score:5, Funny)

    by TWX ( 665546 ) on Monday June 07, 2004 @07:25PM (#9361131)
    I thought that California had the market cornered on this during the energy crisis...

  • Darknets = P2P (Score:5, Informative)

    by Anonymous Coward on Monday June 07, 2004 @07:26PM (#9361136)
    darknet n. The collection of networks and other technologies that enable people to illegally share copyrighted digital files with little or no fear of detection.
    http://www.wordspy.com/words/darknet.a sp

    • Re:Darknets = P2P (Score:3, Insightful)

      by drinkypoo ( 153816 )
      I've never heard this term and I've been using p2p as long as anybody. A few industry pundits using it doesn't make it a real live term. Frankly I think that both of these uses of the "word" are lame, but calling p2p the darknet is a lot more lame than using the term to refer to a network intended to have no legitimate traffic.

      With all that said, honeynet would seem be a more sensible term for a network like this. It's even sticky, which means people will be getting caught in it more readily, which is pre

      • Re:Darknets = P2P (Score:4, Insightful)

        by Lehk228 ( 705449 ) on Monday June 07, 2004 @08:50PM (#9361614) Journal
        actually a darknet would be a peer to peer group where the users know most if not all other members, such as a Dormitory floor setting up FTP servers and giving accounts to everyone on the floor (not that i have any involvement in that sort of activity)

        You sound like my roommate, anything He hasn't heard of isn't legitimate or good enough, which is funny since he won't even accept as valid terms that are listed in the Jargon File)

        • Re:Darknets = P2P (Score:3, Interesting)

          by drinkypoo ( 153816 )
          It's well known that I am a nitpicker, but if a darknet is supposed to apply to P2P, then FTP doesn't count because it's client-server :) The whole idea of such a term is absurd. We already have a name for peer to peer, it's P2P. A private P2P network is just that, private P2P. A private FTP is also simply a private FTP. Why make this harder than it has to be?

          My not having heard of it doesn't make it "not good enough", there are plenty of more logical reasons for that. My not having heard of it is enough

          • Re:Darknets = P2P (Score:4, Funny)

            by 0x0d0a ( 568518 ) on Monday June 07, 2004 @09:53PM (#9361943) Journal
            Like, by wanker pundits who desperately want to be the ones to coin a new phrase.

            Nicely put, though it applies to half of the tech journalist types out there.

          • Re:Darknets = P2P (Score:4, Interesting)

            by Geek of Tech ( 678002 ) on Monday June 07, 2004 @10:22PM (#9362093) Homepage Journal
            Let's read this little snippet of the article....

            [snippet]

            A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.

            A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics.

            Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.

            [/snippet]

            Think this kind of scenario...

            A computer gets some form of malware on it that scans random addresses in its attempt to find vulnerable hosts. I'm going to use the name Blaster for this fictional bug...

            Now lets assume that the IP for your darknet box is aaa.bbb.ccc.ddd. If the bug randomly chooses your box (which isn't entirely unlikely) to scan, you will instantly know something is up. We're not talking "Oh no the evil **AA is after us!" (where ** is any two letters). We're talking more "Hmmm... Someone is trying to send data to an address that as far as anyone knows doesn't have any device on it." It's safe to consider a box compromised if they try to send data to an address that isn't used.

          • You know that FTP isn't really client-server, right?

            Or at least, it's only really client-server in passive mode. The rest of the time, it's two servers talking to each other in the dumbest, most broken way imaginable.

            (And if you have no idea what I'm talking about, examine the mechanics of the PORT command. And understand why firewall designers the world over just wish everybody would switch to WebDAV over HTTPS, or sftp, or some other equivalent, so we could pretend FTP never existed.)

      • Re:Darknets = P2P (Score:3, Informative)

        by analog_line ( 465182 )
        "Honeypots" are usually called such because they're set up to look like an easy mark for a hacker. Fake services, wide open holes, etc, and all the while logging every blessed thing that happens on the machine.

        "Darknets" at least as described here, are not set up to be juicy targets. Technically they shouldn't be targets in the least. They are to all appearances dead IP addresses, hence calling them "dark." This method doesn't catch the perpetrator in the act. Most of what it does is watch for IPs tha

  • So hows this work now? (Score:3, Interesting)

    by Kenja ( 541830 ) on Monday June 07, 2004 @07:28PM (#9361145)
    How do you track so called "naughty network traffic" when it goes to an IP with no services or servers? I guess you could do this with somthing along the lines of a "border" firewall (rather then a NAT system). But few of us have such a setup.

  • Use this for... (Score:3, Informative)

    by chrispyman ( 710460 ) on Monday June 07, 2004 @07:28PM (#9361149)
    It would seem like a good idea to use the info collected by the Darknet to perhaps automatically blacklist those offending IP addresses or perhaps to automatically complain to the offending ISP.

  • Nothing really new here... (Score:5, Informative)

    by Autonin ( 322765 ) on Monday June 07, 2004 @07:29PM (#9361157)
    The Juniper (NetScreen/OneSecure) IDP has done a similar thing for years now.

    You can assign it any IP and port combination, and it will ACK for any SYN's sent to it, whether there's a real server running on that IP or not. Such 'unsolicited' connections are a bad-traffic giveaway.
    • I was going to mention the Netscreen IDP but you beat me to the punch. I had an IDP that protected 141.106.0.0/16. I had the Honeypot feature enabled so that if you scanned certain addresses, the IDP would blacklist your source address for 30 minutes. It worked *very* well for shunning lazy portscanning kiddies.

      The IDP is a very impressive piece of technology. A very good complement to a Layer 3 firewall.

      -Scott

  • Really . . . (Score:5, Insightful)

    by OverlordQ ( 264228 ) * on Monday June 07, 2004 @07:29PM (#9361161) Journal
    These are 'dark' because there is, seemingly, nothing within these networks. Any packet that enters a Darknet is by its presence Aberrant.

    That's like the mailman trying to deliver letters to Santa Claus, or somebody addressing a letter wrong, thank good I know all those letters are Abberant now.

    • Re:Really . . . (Score:3, Informative)

      by techno-vampire ( 666512 )
      Abberant doesn't have to mean malicious. It just means that they're someplace they don't belong. If you misaddress a letter, or misdial a phone number, the result is abberant because you end up somewhere you don't belong.

    • Re:Really . . . (Score:5, Interesting)

      by LostCluster ( 625375 ) * on Monday June 07, 2004 @07:46PM (#9361269)
      The USPS is well aware of that concept. That's why they have a Mail Recovery Centers (commonly called a Dead Letter Office) to which anything that has an invalid delivery address, and either a missing or invalid return address goes to.

      These centers are the only part of the postal system allowed to open letters intentionally... as the privacy concern goes out the window in one last ditch attempt to try to figure out where it should be going. Any property that ends up there and has no address indications inside ends up going up for auction. Some charities take the letters addressed to Santa to find ones that indicate particularly needy families and grant wishes.

      Snail mail just can't drop packets on the floor as easily...

      • Re:Really . . . (Score:4, Insightful)

        by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Monday June 07, 2004 @07:51PM (#9361294) Homepage Journal
        Snail mail can easily have dropped packets - you (or your mail carrier) can miss the mailbox.

        Not only that, but I'm betting a dramatically higher percentage of snailmail packets are misdelivered than IP packets. I am constantly getting mail for my neighbors in unit A in my mailbox, unit B. One wonders if it's my mail carrier or the mail sorters. It's not that they're getting the mailboxes confused, because I get my mail in there at the same time, it's an issue with sorting.

      • Re:Really . . . (Score:5, Insightful)

        by Effugas ( 2378 ) on Monday June 07, 2004 @08:01PM (#9361366) Homepage
        Snail mail just can't drop packets on the floor as easily...

        Quite the contrary; it's far easier to drop a letter on the floor. A letter has mass. ;-)

    • Santa has an address (Score:4, Informative)

      by brunes69 ( 86786 ) <`gro.daetsriek' `ta' `todhsals'> on Monday June 07, 2004 @08:30PM (#9361503)
      Santa Claus
      North Pole, Canada
      H0H 0H0

      If you write Santa at this address, he will write back. Not 100% sure USPS will send it over the border, but if they do, it'll work.

      ( Canada Post sends out replies to children each year; I think employees at the post office volunteer and take the time to hand-craft a personal reply to each and every letter, though they may be auto-generated nowadays, i am not certain ).

  • Come to the Darknet, little cracker; you know you want to.

  • Very Interesting (Score:4, Interesting)

    by DeltaSigma ( 583342 ) on Monday June 07, 2004 @07:31PM (#9361173) Journal
    It's like a honeypot, except designed to catch worms, rather than live hacking attempts. Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

    I like the idea, and wish I had the corporate status to consider an implementation at my company.

    • Re:Very Interesting (Score:2, Redundant)

      by 0racle ( 667029 )
      You can set a honeypot like honeyd to essencially passivly capture all traffic to a subnet, which would log all worms as well. So a darknet is a lot like a honeynet, except you can't do as much with it.
    • Hell this could be extended with fake entries in a corporate address book to monitor worms that spread via e-mail communication.

      Going by the junk mail I receive in my domain site, you don't even need a valid E-mail address. The spammers just create a @yourdomain.com address and take their chances with a catch all E-mail address.

    • Re:Very Interesting (Score:5, Interesting)

      by Zocalo ( 252965 ) on Monday June 07, 2004 @08:22PM (#9361463) Homepage
      I like the idea, and wish I had the corporate status to consider an implementation at my company.

      You don't need to be a big company to do this, just a little savvy and a DSL line. I've been doing like this for a while with my DSL router's firewall which has a feature to copy any traffic matched by a rule to the LAN with the target set to an arbitrary MAC address. I have it setup so that any traffic targetted at my unused IPs gets directed to a bogus MAC on the LAN where it gets directed by my switch to be captured by an old laptop. With the flick of a few config files, I can get a honeypot running too, so I can get a little more than the initial "SYN" of TCP sessions.

      You get some fascinating stuff. My IP space is a few class B's away from some allocated to S. Korea, and a few months ago I saw someone testing a worm exploiting MS-DS in real time. The scriptkiddie had obviously made a typo, because instead of port 445 the traffic was hitting 455, but the traffic was clearly trying to cause use a known buffer overflow and was coming from a dozen or so IPs all within a single ISP.

      Unfortunately, the email I sent to the ISP's NOC listing the source IPs didn't get acted on in time. After about an hour the guy must have corrected the error and the traffic switched to port 445 and the number of source IPs started to grow... I never did find out precisely which one of the many, many, MS-DS exploits circulating at the time this one was though. :(

    • I have also never thought of this and have never set up a honeypot. I deal considerably with virus patching and do have the corporate status to consider this. Does anyone know of a good, free, Windows based solution? (I am well aware that this is a linux heavy board but the management is always more comfortable when I bring Windows solutions to the table in a Windows shop.)

  • I want one! (Score:4, Funny)

    by BoxOfCuriosity ( 766117 ) * on Monday June 07, 2004 @07:31PM (#9361177)
    I want an IP in the darknet!

    I can hear the cry of the children everywhere!

    Oh yeah! and whats an IP?

    The Box is Open

  • But then (Score:5, Insightful)

    by trialsboy ( 651481 ) on Monday June 07, 2004 @07:32PM (#9361184)
    Ok, it's a really good idea, but catching the naughty traffic isnt the hard part, what does it do witht he naughty traffic it gets, just make a pretty graph?

    • Re:But then (Score:3, Interesting)

      by drinkypoo ( 153816 )
      How about logging it and initiating some security rules with it? It should be simple enough to write a little daemon which will watch for log messages and institute temporary (or not temporary) firewall rules to block traffic from those hosts. The nature of the block (temporary or non) can be contingent on the type of traffic. Illegitimate connections on ports known to be used for undesirable activity would be grounds for a longer block than, say, a connection to port 80 on an IP address adjacent to a legit

  • Analyzing the Witty worm with a massive darknet (Score:5, Informative)

    by G4from128k ( 686170 ) on Monday June 07, 2004 @07:33PM (#9361193)
    The analysis of the Witty worm [caida.org] (discussed on /. here [slashdot.org] ) used a massive darknet subtending 1/256 of the entire IPv4 address space. This gave them an excellent sample size for analyzing the behavior of the worm.

  • ARIN (Score:3, Funny)

    by EdMcMan ( 70171 ) <moo.slashdot2.z.edmcman@xoxy.net> on Monday June 07, 2004 @07:33PM (#9361196) Homepage Journal
    Somehow I doubt ARIN and IANA will like this.

    • Re:ARIN (Score:5, Informative)

      by Autonin ( 322765 ) on Monday June 07, 2004 @07:42PM (#9361250)
      Why not? The 'DarkNet' concept uses *already allocated* IP space that just happens to not be actually used at present. ARIN has nothing to do with this - they've already given out the addresses to registered holders.

      I'm Mr. Huge ISP, with gobs of class B's and class C's already allocated to me, the routes for these subnets already advertised on the backbone as coming to me, I might as well do something with the space until I can put some servers there later.

      Fire up a Juniper IDP and configure it for those unused networks. Then when bad guys come a'callin', you'll be able to log or block as you like.
      • Well, you need to have a certain amount of host usage to be able to ask for more space.

        I'm sure they will not be happy if Mr. Huge ISP run a darknet and then goes back for more ips because they made the darknet too big.

        • The idea is that if you need more IPs, you re-allocate some of those you were using for the Darknet. Only when you are exhausted of IPs (meaning no more Darknet left to pilfer) do you go to IANA and request another block.

    • Re:ARIN (Score:5, Informative)

      by digitalsushi ( 137809 ) * <slashdot@digitalsushi.com> on Monday June 07, 2004 @08:04PM (#9361373) Journal
      ARIN doesnt care what you do with anything smaller than a /29. 16 IP blocks and larger you do, though. Hell there's colo servers you can rent that'll give you a /24! What a waste, that is. But they'll allow for the excuse that someone has a crap web server that can't do name based hosting. Like ugh ... what was that. Cold Fusion! as recently as 2002 needed one IP per website.

      And of course, if you don't document who's using what, they don't do anything about it anyways. God help you if you want more IPs, though.

  • HoneyPot? (Score:5, Insightful)

    by molo ( 94384 ) on Monday June 07, 2004 @07:34PM (#9361202) Journal
    Sounds like a standard HoneyPot, except the only machine on the nextwork segement is a packet sniffer, so the address doesn't have any real destinations.. Not a big deal. I'm sure the honeynet people have done similar.

    -molo

    • Re:HoneyPot? (Score:5, Interesting)

      by j3ll0 ( 777603 ) on Monday June 07, 2004 @07:59PM (#9361352)

      Yeah, agreed, but.....

      I think motivation is important here. Honeypots by their nature are designed to entice black hats into attacking them...so that the owner of the honeypot can analyse what the latest and greatest black hats are going to look for, exploit etc

      A darknet setup is passive in that it logs aberrant traffic. It tells you when something out there is actively scanning large gobs of your address space.

      Ever played with Snort\ACID and a ruleset from somewhere like Whitehats [whitehats.com] on a live user subnet ? You get so many false positives that you start to pare down your ruleset. You keep doing this until you start to question the validity of the IDS in the first place.

      I think this idea has some real utility....even if it is just to create another dataset to throw at MRTG !! :)

  • aka blackhole networks (Score:5, Informative)

    by Anonymous Coward on Monday June 07, 2004 @07:37PM (#9361214)
    Using dark ip space, bogon space and so on for blackhole network monitoring has been in use for a while to help detect DDoS's and even network worms. Jose Nazario has written quite thoroughly and extensively about their usage in his book, Defense and Detection Strategies against Internet Worms. Check it out if this interests you.

  • Darknet used as filter. (Score:5, Insightful)

    by jelwell ( 2152 ) on Monday June 07, 2004 @07:38PM (#9361220)
    An interesting use of a darknet would be to shield a real server from unwanted attacks. Have the darknet relate any internet IPs that contact the darknet to your real server to ignore.

    As an example. Setup a darknet on the following IPs:
    DARK_A : 204.210.34.1
    DARK_B : 204.210.34.3

    Setup the real server mathematically between the two darknet IP addresses:
    REAL : 204.210.34.2

    Now have DARK_A & DARK_B contact REAL whenever DARK_A or DARK_B receive any packets. REAL can be setup to, on the fly, filter out any packets received from the same source as the DARK servers reported.

    In a sense you're creating a realtime blacklist. You can set the list on a timed delay to expire. Or even filter out specific packet signatures instead of entire suspect IP addresses.

    just a thought...
    Joseph Elwell

    • Re:Darknet used as filter. (Score:5, Interesting)

      by digitalsushi ( 137809 ) * <slashdot@digitalsushi.com> on Monday June 07, 2004 @08:09PM (#9361407) Journal
      WHOA there cowboy. Some of us out here enjoy an occasional ice cold beer or two or three, and I think I'm not alone in saying that we don't always hit the target. Don't discriminate against drunken surfers! If all the requests are for port 80, say, best be you lettin' us in anyways, boy.

    • Re:Darknet used as filter. (Score:5, Informative)

      by kiolbasa ( 122675 ) on Monday June 07, 2004 @08:14PM (#9361424) Homepage
      An good idea, similar to how spam-trap addresses can be used to build spammer blacklists. However, you would have to do something to keep packets with forged return addresses from spoiling your blacklist. This might mean completing TCP connection setup, etc., to verify the source. Your darknet wouldn't be passive and totally silent, which is what the article seems to imply in it's definition of a "darknet." Of course, other analysis of the packets could weed out false positives.
    • Very clever. So I send a bunch of packets to DARK_A and DARK_B with forged sender headers so that REAL starts blocking legitimate traffic from the senders I faked.
      Realtime blacklists are lovely tools for denial-of-service attacks. Probably why you don't see more of them out there.

  • Darknet not needed (Score:5, Insightful)

    by lukewarmfusion ( 726141 ) on Monday June 07, 2004 @07:40PM (#9361233) Homepage Journal
    I have a whole list of bookmarks for my naughty traffic.

    Seriously, though... I have a spare wireless router set up at work that's easily hacked, easily found, and logs every damn thing that touches it. Our real wireless network is obscured, encrypted, mac filtered, etc. I realize it's not technically the same thing as the post describes (I guess you'd call it a honeypot network or something) but it's the same idea.

    Of course, nobody will care if a hacker makes his way into our network (honeypot or not) unless he does some "damage."
    • That's not a honeypot. It's not really either a darknet. It does have elements in common with both, though - a decoy network?

      A honeypot is a server that appears to be riddled with security holes. What you have isn't a server, so not a honeypot.

      A darknet is an IP-addressable network that appears to be not in use. What you have isn't IP-addressable, so not a darknet. We need a new phrase :)

  • Hey! Who knew that the net was missing [slashdot.org]?

  • HoneyPots (Score:4, Interesting)

    by xplosiv ( 129880 ) on Monday June 07, 2004 @07:44PM (#9361256)
    What's the difference between a darknet and a honeypot/net setup? Both seem to have the same goals, and both use some IP space to detect potential attacks.

    • Re:HoneyPots (Score:3, Informative)

      by Anonymous Coward
      honeypots emulate a "real" machine. they provide "real" services and have "real" filesystem, etc. these are designed to analyze human activity (cracking methods and tools).

      darknet seems to be logging traffic to the undefined addresses instead of dropping packets on the floor or sending icmp error responses. darknets don't appear to actually respond to traffic (analyzing worms / automated tools, no intelligence behind them).

  • I would have thought... (Score:4, Funny)

    by syousef ( 465911 ) on Monday June 07, 2004 @07:49PM (#9361281) Journal
    ...there are easier ways of finding Pr0n aren't there? Like opening up your spam folder :-)

  • I don't get the complexity (Score:5, Informative)

    by DDumitru ( 692803 ) <doug @ e a s y c o .com> on Monday June 07, 2004 @07:52PM (#9361302) Homepage
    The idea here is to catch traffic to otherwise unused network addresses. This does not require any of the stuff that seems to be implied here.

    For example, say you have a Linux system in a colo somewhere (or on the end of a T-1 or some other >1 IP address static network). You have some IP addresses assigned to you that are otherwise not assigned. Here is how you can get all of the darknet functionality with your standard server.

    Some example numbers (none of which are real)

    Unused address to watch: 10.11.12.13
    Interface on which you receive traffic: eth0
    A fake interface to route to: tap0

    Configure your server to ARP the extra addresses:

    arp -Ds 10.11.12.13 eth0 -i eth0 pub

    Setup a "tap" device to route the traffic to

    tunctl -u nobody -t tap0
    ifconfig tap0 10.11.12.13 netmask 255.255.255.0 broadcast 10.11.12.255 up

    Setup a "route" to the device

    ip route add 10.11.12.13 dev tap0

    At this point the traffic should all route to the fake device tap0. You can run tcpdump on this, setup IP filter chains, run MRTG on it directly, etc. All without any extra hardware.

    For those that work with UML (User Mode Linux), you already recognize this is exactly how you setup virtual UML networks.

    This is also somewhat related to "tar pits" that just answer connect requests to addresses that have un-completed ARP requests.

    Have fun.

    • Re:I don't get the complexity (Score:2, Informative)

      by Anonymous Coward

      Your idea of binding addresses through arp works almost as well, but it is not the same. Once you bind an address through arp, the interface will respond to arp requests. This goes against the author's idea of having absolutely no outbound on the sniffing interface. You can probably get along without it, but it's nice to be able to put up firewall rules that block all outbound and inbound traffic of all types on the sniffer interface, so that you know that anything you collect is genuine Bad Data.

      Also

      • Re:I don't get the complexity (Score:4, Interesting)

        by DDumitru ( 692803 ) <doug @ e a s y c o .com> on Monday June 07, 2004 @09:16PM (#9361754) Homepage
        You are correct if you are going to route "big chunks" of address space. On the other hand, most of us (at least those with some colo machines at our disposal) don't have spare /24s laying around [and if you do you should give them back to ARIN]. Also, it is arguably better to watch 256 "random" addresses than 256 in a row, so watching a bunch of small blocks is actually better than grabbing a big contiguous block.

        A couple of other points here. ARP does not actually create any extra traffic on the interface that is being watched. In this example, the ARP goes from eth0 to the upstream router. You are packet sniffing tap0. Thus tap0 will show absolutely zero outbound traffic (it cannot because there is no "client" application talking to it). Regardless, we are talking about IP here. If you have traffic reaching your interface that it not IP (and ARP is not IP), just why did the router forward it to you anyway.

        If you have a lot of nets that need to be routed this way, you can still do it. There is nothing wrong with static routes that go thru 5 systems on the way to the tap device. These can cross local LAN segments and provided there are no firewall rules that disallow it, the effect is the same.

        If your purpose is to dedicate resources to this project, then the dedicated network solutions is best. Otherwise, the virtual network solutions that use 'arp' and 'tap' devices gets you 100% of the same traffic to analyze.

        My "best" choice if you want to watch a "lot" of addresses would be to run something like LaBrea that responds to "un ARPed" packets. This could be mangled to automatically setup the interface to forward unused addresses within the current block to a tap device. I have not tried this, but it would be fun and not too hard to implement.

  • AKA Network Telescopes (Score:5, Informative)

    by BSDevil ( 301159 ) on Monday June 07, 2004 @07:54PM (#9361321) Journal
    These things have been around for awhile, but known as Network Telescopes. The largest (AFAIK) is at UCSD, which is just a tad larger than a /32 (like, say, a /8). They collected some interesting data off the thing during all the Blaster rampages (Google cache of HTML'ed PDF here [66.102.9.104]).

    Also, see the NANOG guide to setting them up here [nanog.org], and the home for the CAIDA/UCSD telescope here [caida.org].

    So in short, nice job to the Welsh for implementing it, but there's bigger elsewhere for y'all to play with.

  • IPv6 (Score:5, Interesting)

    by sploxx ( 622853 ) on Monday June 07, 2004 @08:14PM (#9361428)
    Wouldn't this be impossible to create with IPv6? Because of the *huge* address space and the negligible probability of a packet entering a darknet?
    This is in no way an argument against IPv6, I'm eagerly awaiting it - I'm just curious...

    • Re:IPv6 (Score:4, Insightful)

      by glwtta ( 532858 ) on Monday June 07, 2004 @08:30PM (#9361501) Homepage
      I am guessing that the kind of "naughty" traffic this is designed to mintor will also be made obsolete by IPv6's massive address space.

      Seems the purpose is to monitor IP scanning activity - something wholly impractical with IPv6.

      • Re:IPv6 (Score:3, Interesting)

        by Nasarius ( 593729 )
        something wholly impractical with IPv6

        Brute force scanning, yes. But plug into the IANA/ARIN/etc databases and you can narrow it down quite a bit.

  • would be a better name since HoneyPots have been discussed for quite some time. And they are probably a bit safer than HoneyPots from a legal perspective (probably less you can do than compromising a HoneyPot machine).

  • Darknet, invite naughty traffic on your net today! (Score:5, Informative)

    by pgnas ( 749325 ) on Monday June 07, 2004 @10:50PM (#9362227) Journal
    I completely agree, after spending countless hours sifting through log files, tweaking triggers to help reduce the amount of false positives, the IDS is not the complete answer.

    An IDS is only so efficient, you need to first really understand your network before deploying, and even after deployment, this is only the beginning.

    We have been using Darknets, or honeypots for sometime, an excellent combination of tools, see Snort [slashdot.org], ACID (Analysis Console for Intrusion Databases [sourceforge.net]

    As said before and in the article, this is a sophisticated set of tools and you need to understand your network, or you will find yourself chasing ghosts, Enter the Darknet (Honeypot).

    Combined with the other tools, we have been using Honeyd [honeyd.org], an excellent honeypot, simple to get up an going and very configurable.

    Snort.org [snort.org] has an excellent howto documentation [snort.org] to get the IDS up an going, then you can add the honeypot.

    It can be downright humorous how quickly you will begin to capture useful information. In addition, adding scripts to interact with the traffic will allow you to keep the user busy while you are collecting data, or Tarpitting the traffic making the port "sticky" dragging the connections, another good one would be LeBrea [hackbusters.net].

    If you have any interest in network security, or simply want to monitor your home network, you need to take a look at darknet, or any of the other tools mentioned.
  • This is just like this issue of [megatokyo.com].

    Weird.

  • And then what? (Score:4, Funny)

    by cyclist1200 ( 513080 ) on Tuesday June 08, 2004 @07:30AM (#9364169) Homepage
    Slap it on the nose with a newspaper and say, "Bad! Bad packet!"?

Slashdot Top Deals

On the eighth day, God created FORTRAN.

Close