I was contacted by a former student last night asking to explain the concept of a darknet. Prior to contacting me he had read several descriptions online but none of them made any sense. Well since I took a few minutes to create my own explanation for one person I might as well put it here.
Let's look at it from an operational perspective opposed to a regular definition.
1)You want to study malware and wormlike / scanning activity
2)So you allocate a block of network space, say 4.16.5.0/24 to your "dark net"
3)On your router create a static route, 4.16.5.0/24 --> 1.1.1.1 (this being the IP of your analysis box.
Done.
Ok, so what just happened? The idea, is that a darknet, or dark IP range, is a range that has no services in it, therefore there should be no incoming traffic, and if there is incoming traffic it must be bad. To test this theory all traffic for the non-existing subnet of legitament address space is being pushed to an analysis machine. Here you would log the connection attempts to get a better understanding of which ports are trying to be reached.
How is this effective? well ideally you would want to combine several darknets and aggregate the data from all of them to build stats & trends on which servies are being targeted.
That's it!
Hopefully that helps, Arbor Networks collects data and publishes stats publicly. If your IP block were discovered it would obviously not be effective, so if you work for security company you would want to get ahold of address space that is not adjacent to production IPs.
So another question: Couldn't you just look at incoming traffic to your prouction network?
Not really, your production network has legitamate services and an identity, it's not actually "Dark". You may be receiving targeted reconnaissance, or other attacks. Useful to know about, but not useful for research of trends of malware that are not targeting a specific victim.
Hope that helps!
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment