20060425-darknet-pearson
Download
Report
Transcript 20060425-darknet-pearson
Shared Darknet Project
Internet2 Spring 2006 Member Meeting
Doug Pearson
Technical Director, REN-ISAC
REN-ISAC
• Is an integral part of U.S. higher education’s strategy
to improve network security through information
collection, analysis, dissemination, early warning, and
response;
• is specifically designed to support the unique
environment and needs of organizations connected to
served higher education and research networks; and
• supports efforts to protect the national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
REN-ISAC Activities
• A vetted trust community for R&E cybersecurity
• Information-sharing and communications channels
• Information products aimed at protection and
response
• Participation in mitigation communities
• Incident response
• 24x7 Watch Desk ([email protected], +1 317 274 6630)
• Improvement of R&E security posture
• Research & Education Cybersecurity Contact Registry
• Security work in specific communities
• Participate in other higher education and national
efforts for cyber infrastructure protection
REN-ISAC Membership
• A trusted community for sharing sensitive information
regarding cybersecurity threat, incidents, response,
and protection, specifically designed to support the
unique environment and needs of higher education
and research organizations.
• Membership is oriented to permanent staff with
organization-wide responsibility for cybersecurity
protection or response at an institution of higher
education, teaching hospital, research and education
network provider, or government-funded research
organization.
• http://www.ren-isac.net/membership.html
Certain Threats
• Certain types of worms and attacks scan the network
for vulnerable hosts to infect, e.g.
– Blaster exploited MS DCOM RPC on TCP/135
– Veritas Backup Exec vulnerabilities via TCP/6101
– Weak MySQL root user passwords via TCP/3306
– And many, many more!
TCP/3306 sources
seen Jan 2005
after introduction
of a bot scanning
for weak MySQL
root user pass
Darknet
• Is a type of network security sensor used to detect
scanning systems.
• A darknet collector listens to one or more blocks of
routed, allocated, but unused IP address space and
records in the incoming traffic.
• Because the IP space is unused (hence "dark") there
should be very little legitimate traffic entering the
darknet.
• But, as it turns out, a good deal of traffic enters
darknets, mostly coming from malware and attack
reconnaissance, such as worms and bots scanning for
new systems to infect, automated scanning for SSH
servers on which to conduct password attacks, etc.
Darknet
• A darknet is a very useful security tool – worm and
other malware infected systems can be positively
identified by source IP address and then referred for
isolation and remediation. Several universities use a
darknet in conjunction with other protection methods.
Darknets can be fairly simple to set up and operate
and provide useful results.
• Some guides to darknets:
– Team Cymru Darknet Project
http://www.cymru.com/Darknet/index.html
– Internet Motion Sensor Project
http://ims.eecs.umich.edu/
Darknets
• REN-ISAC operates a darknet, and:
– sends notifications of observed scanning sources,
aka infected systems, to the security contact at the
source-owning institution,
– uses the darknet to monitor for new or changing
behaviors – i.e. situational awareness, and
– provides statistics of activity observed in the
darknet to its members via the Daily Weather
Report.
Sample Daily Notification
Date: Fri, 11 Feb 2005 12:32:02 -0500
To: [email protected]
From: Doug Pearson <[email protected]>
Subject: REN-ISAC darknet report 02-10-2005 24 hours GMT
Files are attached for each institution containing detail
information for each hit, including timestamps.
Hits on unusual port numbers - ports not associated to common
Internet services - are often the result of backscatter from
source-spoofed IP addresses.
A list of the observed network blocks is included at the
bottom of this report. Additions and corrections to the list
are appreciated!
| dest |
institution
|
source IP
| proto. | port | # hits
------------------------+-----------------+--------+------+------indiana.edu
149.159.43.156
TCP
445
3
indiana.edu
149.159.43.156
TCP
1025
3
indiana.edu
156.56.72.3
TCP
445
2
iupui.edu
134.68.121.224
TCP
445
61
iupui.edu
149.166.231.219
TCP
445
1
iupui.edu
149.166.232.69
TCP
445
3
ius.edu
149.160.18.8
TCP
445
3
iusb.edu
149.161.224.5
TCP
445
3
iusb.edu
149.161.224.26
TCP
445
3
The following
systems at your site
were observed
129.79.0.0/16
scanning
149.166.0.0/16
-----------------------------------------------------------------LIST OF OBSERVED NETBLOCKS:
indiana.edu
indiana.edu
obfuscated
-------------------------------------Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630
[email protected]
http://www.ren-isac.net
-o0o-
at the reported port, and
are likely
compromised.
Shared Darknet Project
• A development effort of the SALSA CSI2 activity
– http://security.internet2.edu/csi2/
• The aim is to develop a wide-aperture, powerful
network security sensor that will directly serve highereducation and research institutions, and indirectly
serve Internet users at large.
• To participate in the Shared Darknet Project,
institutions who run darknets send their collector data
(only the hits from outside their institution) to RENISAC. The data is analyzed to identify compromised
machines by IP address, destination ports involved,
the number of "hits" seen, and timestamps of the
activity.
Shared Darknet Project
• REN-ISAC sends notifications of R&E compromised
machines directly to the security contacts at the
institution that owns the source address, and
• REN-ISAC sends reports to its members containing
information about about trends and new activity seen
in the Shared Darknet sensor space.
• Notifications are sent to R&E sources regardless of
whether the institution is a participant in the Shared
Darknet Project or not, and
• Notifications of non-R&E sources are forwarded in
aggregate to related private network security
collaborations on a best-effort basis.
Shared Darknet Project - Benefits
• Wide aperture (large amount of IP address space
widely distributed) = a more powerful sensor than a
standalone system.
• Resilient to counterintelligence = difficult for
miscreants to identify and intentionally avoid the
darknet.
• Combined brainpower.
• An excellent picture of what’s affecting R&E.
• Will enable substantial progress in combating worms
and other malicious activity that relies on scanning for
vulnerable systems.
Shared Darknet Project - Why
One lonely /16 darknet in the entire IPv4 space,
(actually the /16 line should be ~10x skinnier!)
versus a Shared Darknet Project
Policy
• Anticipate lightweight policy considerations:
– these are unsolicited scans of your network
resources after all,
– don’t have to deal with payload,
– institutions keep the hits from their local sources to
themselves and only share hits coming from
external sources, and
– information is shared within established trust
communities.
• Developing a lightweight participation MOU.
Phase X / Related Project
• RENIOR – Research and Education Networking
Operational Information Retrieval
– A development effort of the SALSA CSI2 activity
• http://security.internet2.edu/csi2/
• Led by WPI / Phil Deneault
– RENOIR utilizes standards-based methods (e.g.
IODEF and work of the IETF INCH Working Group)
to provide an inter-institutional incident information
exchange implemented within a trust community,
and provides methods for organizing and
correlating units of related information into
synoptic incident views.
RENOIR and the SDP
Shared
Darknet
Project
RENOIR
Registry
AAA
R&D and Opportunity Areas
• Trend analysis - best techniques and methods
• Noise reduction, e.g. noise from P2P NAT and firewall
traversal methods
• New ways of representing of results
– e.g.
http://www.monkey.org/~phy/ipmaps/darknet.php
• Payload analysis
Interested to Participate?
• As a SDP site or in R&D and Opportunity areas…
• Anticipate May start-up of pilot sites
• See me
– Doug Pearson, [email protected], or
– Chris Misra, [email protected]
• Also
– Join the REN-ISAC darknet discussion mailing list
(open to REN-ISAC members); send e-mail to:
[email protected].
Contacts
Research and Education Networking ISAC
http://www.ren-isac.net
24x7 Watch Desk: +1(317)278-6630
[email protected]
Membership: http://www.ren-isac.net/membership.html
Doug Pearson
[email protected]