|  BlueWolf's Howl   | Comics and Art  | Higher Level  | Photography  | Poetry and Stories  |
|  Chess  |  Letterboxing  |
|  2003 Blogathon Archive  |   2005 Blogathon Archive  | 8th Layer Archive  | Blue702 Archive  |

BlueWolf's Howl

« Upgrade and Revamp | Bluewolf's Howl | Different World »

November 20, 2005

Darknets

Found a great article on Tech Republic about Darknets:

Learn how darknets can serve as an early warning system for network threats

I guess it still amazes me that so much of security is just sensible. It all just makes sense to me.

A darknet is basically a "dark" network, an area of routed IP address space that has few or no valid services or hosts. By default, you can consider any traffic entering a darknet from any source as hostile (except, of course, traffic you specifically know about).

You monitor the Darknet and the traffic can give you an early indication of a threat. Actually, this is better than it sounds. Sure, we have our firewalls. And our antivirus signatures are up-to-date. But those things only stop the threats we know about. They only protect us against Day 1+ attacks. A Darknet can protect you against a Day 0 attack.

Day 0 is actually when the first front of an attack occurs. At that time, Symantec, McAfee, Microtrend and everyone else does not know about the latest and greatest worm, trojan, or virus. It doesn't even have a 'name' yet, much less an antivirus signature to prevent it. The only 'name' it has is the one its creator has given it. And the only one who knows about it is its creator. And the people affected by it don't even know it's a virus yet. They just know 'something' is funky with their computer. Heck, they might not even see *that* yet. But a Darknet would see it.

Granted, it can't do anything about it. It's merely a *detection* device. And you can't consider it an appliance. You can't 'set it and forget it.' That's probably going to be its biggest obstacle in acceptance. With such a thing in place, you would have to actually LOOK at what traffic is traversing that network. But that's its purpose. On Day 0, it shows you where to look.

Internal computers (from your own network) looking for other computers in that address space (ie looking for other hosts to infect) can alert you to look for a problem. The source can even tell you which bonehead ^H^H^H^H ... ahem... I mean poor user victim... clicked on an attachment or visited some infected web page. You at least _know to look_ and know _where_ to look.

And if you're lucky enough to be able to spare some public IP address space for your Darknet, this will yield even more information about possible threats from outside your organization. Attacks - be they a mass-mailing virus or a directed hack of your network - don't happen in a vacuum. There's always some signal that we're too busy to notice or miss because we're just not looking (or not looking in the right place). Any security book will tell you -- before you're attacked by anyone, they first probe the system. If you can notice when someone is feeling out your network (looking for hosts, mapping available resources, etc), then you can strengthen your walls and develop a defense.

That's going to be another obstacle in the development of Darknets - the dearth of IPv4 address space. In the US, we haven't felt the pressure of its limitations (yet). But, in other countries, this is a major concern. Perhaps when we finally move to IPv6, public addresses will be plentiful enough to spare a few for this endeavor.

Posted by BlueWolf on November 20, 2005 11:48 AM