When system and network admins talk about plugging all the holes and securing their network of denial -of -service attacks, one of the least talked about but one of the most effective network security technique is sinkholing. So what exactly is this ‘sinkholing’? This article is part 1 of a two series each expanding an implementing a different kind of sinkhole.
A sinkhole is defined as a method in which we redirect specific IP network traffic for different security reasons including analysis, diversion of attacks and detection of anomalous activities. It has long been deployed by Tier-1 ISP’s globally usually to protect their downstream customers. However, for the network administrators, sinkholes are generally deployed to provide valuable intelligence regarding the security threats their networks are facing. Read on below for more information on sinkholes and the two kinds of sinkhole implementation — darknets and honeynets and how you can use them to obtain valuable information regarding threats and misconfigurations in your network.
OK, so what is a sinkhole again..? Lets see the following network
Say a malicious hacker has a target of 192.168.2.113, as shown in the figure above. The target is part of a network block 192.168.2.0/254. When the hacker unleashes his DDOS attack, he is not only disrupting the business operations of the target organization, but also crippling the network besides increasing their cost$ because of the increasing bandwidth utilization. If the organization complains to the ISP, what they would then do is initiate a blackhole type sinkhole, by injecting a specific route for the target. They make the next hop the discard interface on their edge router. THis is also known as null() or the “bit bucket”. What this effectively did was redirect the offensive traffic towards the ISP’s sinkhole instead of allowing it to flow downstream to the original target. Unfortunately, the downside is that the IP being attacked cannot communicate with the internet until the sinkhole is removed. A workaround could be that the target gets a different IP, but then you have to think about stuff like DNS TTL expiry and so on….
A better use for the sinkhole is to use it for intelligence gathering, entrapment etc. The two most common types of sinkholes or rather decoy networks are the darknet and the honeypot. We will be talking more about the honeypots in part two of this Sinkhole series.
What is a Darknet
A Darknet is a private file sharing network where users only connect to people they trust. Typically such networks are small, often with fewer than 10 users each. It is a portion of routed, allocated IP space in which no responsive services reside. So again, why the name Darknet… because there is nothing “lit up” inside these networks.
So how are they used in the so called entrapment? Well, no legitimate packets should ever enter a darknet. So if one does appear, it is either because of misconfiguration or malware scanning for vulnerable devices. Thus, because of this a darknet is a powerful security tool because a security administrator can spot scanning without the need for complicated analysis gear and best of all, without any false positives. At the same time, a darknet could be complemented with the inclusion of detectors, packet sniffers and IDS systems.
Five easy steps to implement a darknet
Step # 1:
Select a region of IP address space either a /16 prefix or a single /32 address from your network. This address space will be used to then route into your darknet. You can also darknet a region of your internal private address space. A recommendation would be have this darknet inside your DMZ.
Step # 2
: Next, you need to configure your physical topology. A router or a layer-3 switch would serve this purpose, which, needs to forward all the traffic coming into your darknet. Also, you would need a server to serve as your data collector, an Ethernet switch to connect all these components. Also highly desirable are an IDS sensor or a protocol analyzer. The router/layer3 switch needs to then be configured to forward the darknet destined traffic to the collector server. For management, the collector server would need to have an additional ethernet interface.
Note: Follow your own best practices for this network deice security as you can be sure that all sorts of nasties will be flowing through this network segment pretty soon. The diagram below depicts an example of this configuration
Step # 3:
We now have a problem. The collector server is ARPing (Address Resolution Protocol) every address in the darknet. To fix this, we need to configure the router to forward the darknet destined traffic to a unique IP address on the server’s ethernet interface. If you dedicate a /30 netowrk for this, the point to point between the router and the darknet interface could be 192.168.2.0/30 which would make your router’s ethernet interface 192.168.2.1/30 and the collector server 192.168.2.2/30. Now, enter the appropriate routing statements to the switch to forward all your darknet traffic to 192.168.2.2 on the collector server.
|router # conf t router(config) # ip route 10.0.0.0 255.0.0.0 192.168.2.2
In the above example, 10.0.0.0 is my internal IP address range, 255.0.0.0 subnet mask and 192.168.2.2 is my darknet collector’s IP. You should now be receiving darknet traffic.
Step # 4:
Have a logfile analysis tool like say LogLogic tuned on for firewall logging. Also, firewalls can crash or accidentally turn off, so, null-route the darket traffic should it accidentally go unfiltered. An example null-route under FreeBSD might look like this:
|route add -net 10.0.0.0/3 127.0.0.1 -blackhole|
Note: Depending on the hardware and software choices and the size of your darknet, logging may severely degrade darknet performance.
Step # 5:
Now that we have the darknet humming, you need to store the data in a format which is useful for your analysis and forensics tools. An recommendation would be to use pcap-formatted binary files as a lot of network analysis applications can operate on them. The easiest way to do this is to use the tcpdump built-in rotation feature. tcpdump can be obtained here . An example tcpdump command line to accomplish this log rotation for us is
|tcpdump – i en0 -n -w darknet_dump -C125|
In this example, tcpdump is told to listen on the en0 interface, number to name(DNS) resolution is disabled, and a file called darknet_dumpN is writted every 125 million bytes committed, where n increments for unique filenames. There are literlly dozens of tools that can be used as a quick and easy alternative to the more complicated pcap-based analysis tools.
a. An IDS sensor ( Snort etc)
b. A packet sniffer (tcpdump)
c. A flow analyzer (argus, flow-tools, SiLK)
d. A firewall log parser
e. p0f , an advanced passive OS/network fingerprinting utility for use in IDS environments, honeypots environments, firewalls and servers to categorize platforms of infected/scanning devices.