Sinkholes in Network security: 5 easy steps to deploy a darknet
When system and network admins talk about plugging all the holes and securing their network of denial -of -service attacks, one of the least talked about but one of the most effective network security technique is sinkholing. So what exactly is this ’sinkholing’? This article is part 1 of a two series each expanding an implementing a different kind of sinkhole.
A sinkhole is defined as a method in which we redirect specific IP network traffic for different security reasons including analysis, diversion of attacks and detection of anomalous activities. It has long been deployed by Tier-1 ISP’s globally usually to protect their downstream customers. However, for the network administrators, sinkholes are generally deployed to provide valuable intelligence regarding the security threats their networks are facing. Read on below for more information on sinkholes and the two kinds of sinkhole implementation — darknets and honeynets and how you can use them to obtain valuable information regarding threats and misconfigurations in your network.
OK, so what is a sinkhole again..? Lets see the following network
Say a malicious hacker has a target of 192.168.2.113, as shown in the figure above. The target is part of a network block 192.168.2.0/254. When the hacker unleashes his DDOS attack, he is not only disrupting the business operations of the target organization, but also crippling the network besides increasing their cost$ because of the increasing bandwidth utilization. If the organization complains to the ISP, what they would then do is initiate a blackhole type sinkhole, by injecting a specific route for the target. They make the next hop the discard interface on their edge router. THis is also known as null() or the “bit bucket”. What this effectively did was redirect the offensive traffic towards the ISP’s sinkhole instead of allowing it to flow downstream to the original target. Unfortunately, the downside is that the IP being attacked cannot communicate with the internet until the sinkhole is removed. A workaround could be that the target gets a different IP, but then you have to think about stuff like DNS TTL expiry and so on….
Enter Darknets
A better use for the sinkhole is to use it for intelligence gathering, entrapment etc. The two most common types of sinkholes or rather decoy networks are the darknet and the honeypot. We will be talking more about the honeypots in part two of this Sinkhole series.
What is a Darknet
A Darknet is a private file sharing network where users only connect to people they trust. Typically such networks are small, often with fewer than 10 users each. It is a portion of routed, allocated IP space in which no responsive services reside. So again, why the name Darknet… because there is nothing “lit up” inside these networks.
So how are they used in the so called entrapment? Well, no legitimate packets should ever enter a darknet. So if one does appear, it is either because of misconfiguration or malware scanning for vulnerable devices. Thus, because of this a darknet is a powerful security tool because a security administrator can spot scanning without the need for complicated analysis gear and best of all, without any false positives. At the same time, a darknet could be complemented with the inclusion of detectors, packet sniffers and IDS systems.
Five easy steps to implement a darknet
Step # 1:
Select a region of IP address space either a /16 prefix or a single /32 address from your network. This address space will be used to then route into your darknet. You can also darknet a region of your internal private address space. A recommendation would be have this darknet inside your DMZ.
Step # 2
: Next, you need to configure your physical topology. A router or a layer-3 switch would serve this purpose, which, needs to forward all the traffic coming into your darknet. Also, you would need a server to serve as your data collector, an Ethernet switch to connect all these components. Also highly desirable are an IDS sensor or a protocol analyzer. The router/layer3 switch needs to then be configured to forward the darknet destined traffic to the collector server. For management, the collector server would need to have an additional ethernet interface.
Note: Follow your own best practices for this network deice security as you can be sure that all sorts of nasties will be flowing through this network segment pretty soon. The diagram below depicts an example of this configuration
Step # 3:
We now have a problem. The collector server is ARPing (Address Resolution Protocol) every address in the darknet. To fix this, we need to configure the router to forward the darknet destined traffic to a unique IP address on the server’s ethernet interface. If you dedicate a /30 netowrk for this, the point to point between the router and the darknet interface could be 192.168.2.0/30 which would make your router’s ethernet interface 192.168.2.1/30 and the collector server 192.168.2.2/30. Now, enter the appropriate routing statements to the switch to forward all your darknet traffic to 192.168.2.2 on the collector server.
| router # conf t router(config) # ip route 10.0.0.0 255.0.0.0 192.168.2.2
router(config)# ^Z router# wr |
In the above example, 10.0.0.0 is my internal IP address range, 255.0.0.0 subnet mask and 192.168.2.2 is my darknet collector’s IP. You should now be receiving darknet traffic.
Step # 4:
Have a logfile analysis tool like say LogLogic tuned on for firewall logging. Also, firewalls can crash or accidentally turn off, so, null-route the darket traffic should it accidentally go unfiltered. An example null-route under FreeBSD might look like this:
| route add -net 10.0.0.0/3 127.0.0.1 -blackhole |
Note: Depending on the hardware and software choices and the size of your darknet, logging may severely degrade darknet performance.
Step # 5:
Now that we have the darknet humming, you need to store the data in a format which is useful for your analysis and forensics tools. An recommendation would be to use pcap-formatted binary files as a lot of network analysis applications can operate on them. The easiest way to do this is to use the tcpdump built-in rotation feature. tcpdump can be obtained here . An example tcpdump command line to accomplish this log rotation for us is
| tcpdump – i en0 -n -w darknet_dump -C125 |
In this example, tcpdump is told to listen on the en0 interface, number to name(DNS) resolution is disabled, and a file called darknet_dumpN is writted every 125 million bytes committed, where n increments for unique filenames. There are literlly dozens of tools that can be used as a quick and easy alternative to the more complicated pcap-based analysis tools.
a. An IDS sensor ( Snort etc)
b. A packet sniffer (tcpdump)
c. A flow analyzer (argus, flow-tools, SiLK)
d. A firewall log parser
e. p0f , an advanced passive OS/network fingerprinting utility for use in IDS environments, honeypots environments, firewalls and servers to categorize platforms of infected/scanning devices.
Good luck!!
If you liked this article, click here to buy me a beer!
Dear visitor, if you enjoyed reading this post, you may want to subscribe to my RSS feed. Thanks for visiting!
In our system, like you mention in part 4, we use a BSD based system and I would suggest using pf, ipf or better yet use ipfw2 as your firewall. We also integrate our darknet with a Dragon IDS system for analysis
hey, good article. At my company, we implemented a darknet system with a /32 network space. Being a middle level corp, we see a lot of traffic. Some of the tools you mentioned are pretty good. We actually use the MRTG by Tobias Oetiker in order to visualize the volume of traffic coming in. Check it out
Gud stuff. I never knew about p0f. Need to scope it out now
You never talk about how to use techniques like traceback on top of sinkhole techniques.
To jeff, the traceback is no longer a viable option because of the increased usage of zombies and botnets. There is no reason to forge headers anymore.
Also, besides sinkholes another excellent technique without the drawbacks of sinkholes is by using ingress filtering.
sorry to be the noob around but can anyone tell me the ’subtle’ diff between the internal and external darknet the author mentions here
@Nick, in the simplest sense, an internal darknet will help you expose network misconfigurations. External darknets can give you insight to what your network is being hit with from the outside. In step #2, the recommendation is to use an external gateway router for external darknets and an internal layer-3 switch for internal darknets. Hope this helps.
@Shaw, ingress filtering is a good technique
Excellent pdf here on the darknet and the future of content distribution, article by Peter Biddle, Paul England, Marcus Peinado, and Bryan Willman, four employees of Microsoft.
http://msl1.mit.edu/ESD10/docs/darknet5.pdf
I am currently building a Darknet. We are at the stage of deploying a “Sinkhole”.
I want to know how to implement or “fake” some services using the Sinkhole techique?
We need to emulate services such as WWW/FTP.
Any of you guys know how to do this?
Thanks
Paul
Somehow I was put into a darknet without my permission. My internet provider says it is a trojan and is threatening to cancel my internet if it isn’t gone within 48 hrs but my virus detector isn’t picking anything up and neither is my firewall. How can someone do this without permission and how can I get out of it????
My provider is saying the same thing. Scans show nothing even in safe mode. does anyone have info on this??