Shared Darknet Project

Internet2 Spring 2006 Member Meeting

Doug Pearson

Technical Director, REN-ISAC

REN-ISAC

• Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response;

• is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and

• supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

REN-ISAC Activities

• A vetted trust community for R&E cybersecurity

• Information-sharing and communications channels

• Information products aimed at protection and response

• Participation in mitigation communities

• Incident response • 24x7 Watch Desk (ren-isac@iu.edu, +1 317 274 6630)

• Improvement of R&E security posture

• Research & Education Cybersecurity Contact Registry

• Security work in specific communities

• Participate in other higher education and national efforts for cyber infrastructure protection

REN-ISAC Membership

• A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations.

• Membership is oriented to permanent staff with organization-wide responsibility for cybersecurity protection or response at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization.

• http://www.ren-isac.net/membership.html

Certain Threats

• Certain types of worms and attacks scan the network for vulnerable hosts to infect, e.g.

– Blaster exploited MS DCOM RPC on TCP/135

– Veritas Backup Exec vulnerabilities via TCP/6101

– Weak MySQL root user passwords via TCP/3306

– And many, many more!

TCP/3306 sources seen Jan 2005

after introduction of a bot scanning for weak MySQL

root user pass

Darknet

• Is a type of network security sensor used to detect scanning systems.

• A darknet collector listens to one or more blocks of routed, allocated, but unused IP address space and records in the incoming traffic.

• Because the IP space is unused (hence "dark") there should be very little legitimate traffic entering the darknet.

• But, as it turns out, a good deal of traffic enters darknets, mostly coming from malware and attack reconnaissance, such as worms and bots scanning for new systems to infect, automated scanning for SSH servers on which to conduct password attacks, etc.

Darknet

• A darknet is a very useful security tool – worm and other malware infected systems can be positively identified by source IP address and then referred for isolation and remediation. Several universities use a darknet in conjunction with other protection methods. Darknets can be fairly simple to set up and operate and provide useful results.

• Some guides to darknets:

– Team Cymru Darknet Projecthttp://www.cymru.com/Darknet/index.html

– Internet Motion Sensor Projecthttp://ims.eecs.umich.edu/

Darknets

• REN-ISAC operates a darknet, and:

– sends notifications of observed scanning sources, aka infected systems, to the security contact at the source-owning institution,

– uses the darknet to monitor for new or changing behaviors – i.e. situational awareness, and

– provides statistics of activity observed in the darknet to its members via the Daily Weather Report.

Date: Fri, 11 Feb 2005 12:32:02 -0500 To: it-incident@iu.edu From: Doug Pearson <dodpears@indiana.edu> Subject: REN-ISAC darknet report 02-10-2005 24 hours GMT Files are attached for each institution containing detail information for each hit, including timestamps. Hits on unusual port numbers - ports not associated to common Internet services - are often the result of backscatter from source-spoofed IP addresses. A list of the observed network blocks is included at the bottom of this report. Additions and corrections to the list are appreciated! | dest | institution | source IP | proto. | port | # hits ------------------------+-----------------+--------+------+------- indiana.edu 149.159.43.156 TCP 445 3 indiana.edu 149.159.43.156 TCP 1025 3 indiana.edu 156.56.72.3 TCP 445 2 iupui.edu 134.68.121.224 TCP 445 61 iupui.edu 149.166.231.219 TCP 445 1 iupui.edu 149.166.232.69 TCP 445 3 ius.edu 149.160.18.8 TCP 445 3 iusb.edu 149.161.224.5 TCP 445 3 iusb.edu 149.161.224.26 TCP 445 3 ------------------------------------------------------------------ LIST OF OBSERVED NETBLOCKS: indiana.edu 129.79.0.0/16 indiana.edu 149.166.0.0/16 -------------------------------------- Research and Education Networking ISAC 24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu http://www.ren-isac.net -o0o-

obfuscated

The following systems at your site

were observed scanning

at the reported port, and are likely

compromised.

Sample Daily Notification

Shared Darknet Project

• A development effort of the SALSA CSI2 activity

– http://security.internet2.edu/csi2/

• The aim is to develop a wide-aperture, powerful network security sensor that will directly serve higher-education and research institutions, and indirectly serve Internet users at large.

• To participate in the Shared Darknet Project, institutions who run darknets send their collector data (only the hits from outside their institution) to REN-ISAC. The data is analyzed to identify compromised machines by IP address, destination ports involved, the number of "hits" seen, and timestamps of the activity.

Shared Darknet Project

• REN-ISAC sends notifications of R&E compromised machines directly to the security contacts at the institution that owns the source address, and

• REN-ISAC sends reports to its members containing information about about trends and new activity seen in the Shared Darknet sensor space.

• Notifications are sent to R&E sources regardless of whether the institution is a participant in the Shared Darknet Project or not, and

• Notifications of non-R&E sources are forwarded in aggregate to related private network security collaborations on a best-effort basis.

Shared Darknet Project - Benefits

• Wide aperture (large amount of IP address space widely distributed) = a more powerful sensor than a standalone system.

• Resilient to counterintelligence = difficult for miscreants to identify and intentionally avoid the darknet.

• Combined brainpower.

• An excellent picture of what’s affecting R&E.

• Will enable substantial progress in combating worms and other malicious activity that relies on scanning for vulnerable systems.

Shared Darknet Project - Why

One lonely /16 darknet in the entire IPv4 space,(actually the /16 line should be ~10x skinnier!)

versus a Shared Darknet Project

Policy

• Anticipate lightweight policy considerations:

– these are unsolicited scans of your network resources after all,

– don’t have to deal with payload,

– institutions keep the hits from their local sources to themselves and only share hits coming from external sources, and

– information is shared within established trust communities.

• Developing a lightweight participation MOU.

Phase X / Related Project

• RENIOR – Research and Education Networking Operational Information Retrieval

– A development effort of the SALSA CSI2 activity• http://security.internet2.edu/csi2/• Led by WPI / Phil Deneault

– RENOIR utilizes standards-based methods (e.g. IODEF and work of the IETF INCH Working Group) to provide an inter-institutional incident information exchange implemented within a trust community, and provides methods for organizing and correlating units of related information into synoptic incident views.

RENOIR Registry

AAA

SharedDarknetProject

RENOIR and the SDP

R&D and Opportunity Areas

• Trend analysis - best techniques and methods

• Noise reduction, e.g. noise from P2P NAT and firewall traversal methods

• New ways of representing of results

– e.g. http://www.monkey.org/~phy/ipmaps/darknet.php

• Payload analysis

Interested to Participate?

• As a SDP site or in R&D and Opportunity areas…

• Anticipate May start-up of pilot sites

• See me

– Doug Pearson, dodpears@iu.edu, or

– Chris Misra, cmisra@nic.umass.edu

• Also

– Join the REN-ISAC darknet discussion mailing list (open to REN-ISAC members); send e-mail to: dodpears@iu.edu.

Contacts

Research and Education Networking ISAChttp://www.ren-isac.net24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu

Membership: http://www.ren-isac.net/membership.html

Doug Pearsondodpears@iu.edu