<$BlogRSDUrl$> Marcus P. Zillman, M.S., A.M.H.A. Author/Speaker/Consultant
Marcus P. Zillman, M.S., A.M.H.A. Author/Speaker/Consultant
Internet Happenings, Events and Sources


Thursday, June 10, 2004  

The Team Cymru Darknet Project
http://www.cymru.com/Darknet/index.html

Tracking compromised machines can be difficult. Security solutions often don't scale to the size of larger networks. Technologies such as IDS are flawed, producing copious false positives. When solutions are scaled to fit the larger providers, they often require considerable care and feeding, thus taking time away from problem mitigation. There must be a better way! Enter the Darknet! A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks. A Darknet does in fact include at least one server, designed as a packet vacuum. This server gathers the packets and flows that enter the Darknet, useful for real-time analysis or post-event network forensics. Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want. Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes. The elegance of the Darknet is that it cuts down considerably on the false positives for any device or technology. The goals of the Darknet are simple - to increase awareness, and to ease mitigation. With a Darknet in place, it is far easier to determine the amount of naughty traffic on a network, as well as the sources of said traffic. This will be added tp Security Resources 2004 Internet MiniGuide.

posted by Marcus Zillman | 4:20 AM
archives
subject tracers™