Darknet monitoring

2007-03-01

Jose Nazario

Arbor Networks, USA
Editor: Helen Martin

Abstract

'Monitoring darknet traffic yields great visibility into what threats are present.’ Jose Nazario, Arbor Networks.


The Internet has faced a sustained and significant threat from network malware since the emergence of the global Windows network worm in 2001. For instance, in September 2001, the Nimda worm disrupted global BGP routing tables for hours at major Internet peering points, and in January 2002 the SQL Slammer worm caused significant outages and slowdowns. DDoS attacks directed at the root DNS servers, most recently in February 2007, were launched only with the help of Internet-scale malware and botnets.

Discovering this malware and other malicious activity is key to any global monitoring approach, especially an early warning system. Honeypots are often an excellent source of data, but they rely on the attacker encountering the system. By the same token, absorbing all of the data by active client collection techniques simply doesn’t scale. Clearly a balance must be found, one that can be used to highlight possible new sources of activity.

A new approach to monitoring malicious Internet traffic on a global basis is to utilize darknets – unallocated IP space owned by service providers or enterprises. This is the portion of the Internet that has not been assigned to customers, and every network has some portion of darknet space. Because it is unallocated, there are only two reasons for traffic to be going into darknet space: either due to some form of misconfiguration or because it is malicious. Darknets have little background traffic, meaning that the data captured is purely signal and can be analysed easily. A key facet of any darknet is that it is globally routed and reachable, so a host anywhere on the Internet sending traffic to it will register from any source.

Darknets work because network-scanning malware is unable to predict which addresses are in use on every level of the Internet. Bots and malware are not intelligent enough to pick and choose where they go, they will simply attempt to spread to as many hosts as possible. Monitoring darknet traffic yields great visibility into what threats are present.

By some estimates, only about one third of the Internet is in active use at any time, counting from the subnet that is DHCP allocated up through the BGP allocations given by organizations such as ARIN. This leaves tremendous room for darknets to be deployed.

Over the years, we have seen only a handful of Internet worms try to avoid the largest of darknet monitors by carrying a list of networks to scan. This didn’t work as well as the authors had hoped, and since then very few other malware authors have tried this. The bulk of bots and malware these days use ‘island hopping’ strategies to bias their scanning and attacks locally, either by hardcoding such an algorithm (first made popular with Code Red II and Nimda) or through botnet scan commands focusing on the local networks. Even in these cases darknets observe the malware due to the sparseness of IP address assignments on the local network.

Multiple levels of data can be analysed in darknets, including NetFlow-based approaches through honeypots. At the NetFlow level, routers and switches show what traffic is destined to a darknet by generating traffic summaries called ‘flows’. This provides a lightweight data representation of the traffic by omitting payloads and aggregating packets into a single flow record. These records are great for trend analysis and useful in analysing global scan patterns. Packets can be collected, which, in combination with a honeypot system, can be used to discover the nature of the attack and provide further characterization.

Darknets are the network equivalent of email spam traps, dummy IM accounts and other such data collection points. The major difference between a darknet and a typical honeynet, however, is the scale of data collection. Darknets are composed of hundreds of addresses, rather than one or two hosts. This means that data analysis techniques must scale up dramatically, focusing on trends and patterns instead of deep specifics.

At Arbor Networks, we have found that a distributed darknet monitoring system provides global visibility into malicious traffic and probes. The scan and attack patterns indicate the prevalence of bots and malware and a network of sensors collects new malware samples continuously. Because of this, there is usually an indication of a large-scale attack before it impacts customers dramatically.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.