200 likes | 388 Views
Shared Darknet Project. Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC. REN-ISAC . Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response;
E N D
Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC
REN-ISAC • Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; • is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and • supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.
REN-ISAC Activities • A vetted trust community for R&E cybersecurity • Information-sharing and communications channels • Information products aimed at protection and response • Participation in mitigation communities • Incident response • 24x7 Watch Desk (ren-isac@iu.edu, +1 317 274 6630) • Improvement of R&E security posture • Research & Education Cybersecurity Contact Registry • Security work in specific communities • Participate in other higher education and national efforts for cyber infrastructure protection
REN-ISAC Membership • A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. • Membership is oriented to permanent staff with organization-wide responsibility for cybersecurity protection or response at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization. • http://www.ren-isac.net/membership.html
Certain Threats • Certain types of worms and attacks scan the network for vulnerable hosts to infect, e.g. • Blaster exploited MS DCOM RPC on TCP/135 • Veritas Backup Exec vulnerabilities via TCP/6101 • Weak MySQL root user passwords via TCP/3306 • And many, many more! TCP/3306 sources seen Jan 2005 after introduction of a bot scanning for weak MySQL root user pass
Darknet • Is a type of network security sensor used to detect scanning systems. • A darknet collector listens to one or more blocks of routed, allocated, but unused IP address space and records in the incoming traffic. • Because the IP space is unused (hence "dark") there should be very little legitimate traffic entering the darknet. • But, as it turns out, a good deal of traffic enters darknets, mostly coming from malware and attack reconnaissance, such as worms and bots scanning for new systems to infect, automated scanning for SSH servers on which to conduct password attacks, etc.
Darknet • A darknet is a very useful security tool – worm and other malware infected systems can be positively identified by source IP address and then referred for isolation and remediation. Several universities use a darknet in conjunction with other protection methods. Darknets can be fairly simple to set up and operate and provide useful results. • Some guides to darknets: • Team Cymru Darknet Project http://www.cymru.com/Darknet/index.html • Internet Motion Sensor Project http://ims.eecs.umich.edu/
Darknets • REN-ISAC operates a darknet, and: • sends notifications of observed scanning sources, aka infected systems, to the security contact at the source-owning institution, • uses the darknet to monitor for new or changing behaviors – i.e. situational awareness, and • provides statistics of activity observed in the darknet to its members via the Daily Weather Report.
Shared Darknet Project • A development effort of the SALSA CSI2 activity • http://security.internet2.edu/csi2/ • The aim is to develop a wide-aperture, powerful network security sensor that will directly serve higher-education and research institutions, and indirectly serve Internet users at large. • To participate in the Shared Darknet Project, institutions who run darknets send their collector data (only the hits from outside their institution) to REN-ISAC. The data is analyzed to identify compromised machines by IP address, destination ports involved, the number of "hits" seen, and timestamps of the activity.
Shared Darknet Project • REN-ISAC sends notifications of R&E compromised machines directly to the security contacts at the institution that owns the source address, and • REN-ISAC sends reports to its members containing information about about trends and new activity seen in the Shared Darknet sensor space. • Notifications are sent to R&E sources regardless of whether the institution is a participant in the Shared Darknet Project or not, and • Notifications of non-R&E sources are forwarded in aggregate to related private network security collaborations on a best-effort basis.
Shared Darknet Project - Benefits • Wide aperture (large amount of IP address space widely distributed) = a more powerful sensor than a standalone system. • Resilient to counterintelligence = difficult for miscreants to identify and intentionally avoid the darknet. • Combined brainpower. • An excellent picture of what’s affecting R&E. • Will enable substantial progress in combating worms and other malicious activity that relies on scanning for vulnerable systems.
Shared Darknet Project - Why One lonely /16 darknet in the entire IPv4 space, (actually the /16 line should be ~10x skinnier!) versus a Shared Darknet Project
Policy • Anticipate lightweight policy considerations: • these are unsolicited scans of your network resources after all, • don’t have to deal with payload, • institutions keep the hits from their local sources to themselves and only share hits coming from external sources, and • information is shared within established trust communities. • Developing a lightweight participation MOU.
Phase X / Related Project • RENIOR – Research and Education Networking Operational Information Retrieval • A development effort of the SALSA CSI2 activity • http://security.internet2.edu/csi2/ • Led by WPI / Phil Deneault • RENOIR utilizes standards-based methods (e.g. IODEF and work of the IETF INCH Working Group) to provide an inter-institutional incident information exchange implemented within a trust community, and provides methods for organizing and correlating units of related information into synoptic incident views.
RENOIR and the SDP Shared Darknet Project RENOIR Registry AAA
R&D and Opportunity Areas • Trend analysis - best techniques and methods • Noise reduction, e.g. noise from P2P NAT and firewall traversal methods • New ways of representing of results • e.g. http://www.monkey.org/~phy/ipmaps/darknet.php • Payload analysis
Interested to Participate? • As a SDP site or in R&D and Opportunity areas… • Anticipate May start-up of pilot sites • See me • Doug Pearson, dodpears@iu.edu, or • Chris Misra, cmisra@nic.umass.edu • Also • Join the REN-ISAC darknet discussion mailing list (open to REN-ISAC members); send e-mail to: dodpears@iu.edu.
Contacts Research and Education Networking ISAC http://www.ren-isac.net 24x7 Watch Desk: +1(317)278-6630 ren-isac@iu.edu Membership: http://www.ren-isac.net/membership.html Doug Pearson dodpears@iu.edu