Darknets, Honeypots, and Other Snares

The term 
darknet
is often encountered in the context of private file-sharing
networks (http://en.wikipedia.org/wiki/Darknet), consisting of virtual net-
works used to connect users only to other trusted individuals. However, the
term has been extended in the security sphere to apply to IP address space that
is routed but which no active hosts and therefore no legitimate traffic.
You might also hear the terms 
network telescope
(www.caida.org) or 
black
hole
(because traffic that finds its way in there doesn’t get a response but
simply disappears).The maintainers of such a facility will start from the
assumption that any traffic they do pick up must be either misconfiguration
or something more sinister. Properly analyzed and interpreted, darknet traffic
is a source of valuable data on a variety of attacks (backscatter from spoofed
addresses, DoS flooding) and widely used to track botnets and worm activity.
Malicious software on the lookout for vulnerable systems can generate a great
deal of source material for flow collection, sniffers, and IDSes, without gener-
ating the volume of false positives associated with some IDS measures.
As defined by the Cymru Darknet project (www.cymru.com/Darknet/), a
darknet does, in fact, contain at least one “packet vacuum” server to “Hoover
up” inbound flows and packets without actively responding and thus revealing
its presence.
Darknets can be used as local early warning systems for organizations with
the network and technical capacity to do so, but they are even more useful as
a global resource for sites and groups working against botnets on an Internet-
wide basis.
Internet Motion Sensor (IMS) uses a large network of distributed sensors
to detect and track a variety of attempted attacks, including worms and other
malware, DoS and DDoS attacks, and network probes. Like other darknets,
IMS uses globally routable unused address space but uses proprietary transport
layer service emulation techniques to attract payload data (http://ims.eecs.
umich.edu/).
IMS was designed to meet objectives that tell us quite a lot about what is
needed from any darknet in the botnet mitigation process (http://ims.eecs.
umich.edu/architecture.html):
■
It needs to differentiate traffic on the same service. It needs some
capability for distinguishing between (rare, in this instance) legitimate

Download 6,98 Mb.

Do'stlaringiz bilan baham: