An Introduction to the Simwood DarknetMonday, August 22nd, 2011
As part of our security solution Simwood operates both Darknets and Honeypots. I’d like to introduce you to the Darknets today and some of our findings.
What is a Darknet?
If you’re not familiar with the term ‘Darknet’, it describes a block of IP address space which is not in use and should not see any traffic at all. In our case, as a RIPE member and in common with most ISPs we have IP address space allocated to us for us to allocate to customers. Naturally, a proportion of that space is not in issue at any one time. Our Darknet is concerned with ranges of space which are not only currently unissued but also have never been in issue.
IP addresses which are not in issue and never have been should see very little traffic, but in practice they do. This could result from misconfigurations such as an IP address typed incorrectly or an educational research project. Alternatively, it could be the result of malware seeking to locate other machines to infect or it could be a scan seeking to find addresses worthy of further investigation. Capturing and analysing that traffic can be incredibly useful and is the primary purpose of our Darknet.
Simwood Darknet findings
Analysis of the Simwood Darknets over even a short period yields some stunning results that very quickly rule out any innocent explanation for the traffic. This is an initial analysis of 7 days of traffic.
Looking at the origin of this traffic quickly shows that much of it originates from the ‘usual suspects’ with over half emanating Russia, China, Brazil, and Taiwan. The United States appears top of the list however, which should not be a surprise given the scale of the connected population.
Our Darknet addresses receive an average of approximately 600 events per individual IP address in the Darknet every 24 hours. No IP address receives 0 events. Those events are continuous 24x7x365. Each IP address in the Darknet sees traffic from between 50 and 1000 distinct IP addresses per day with the top 10 accounting for approximately 20% of events.
It gets even more interesting when one looks at how those source IP addresses behave. A shocking 98%+ of them only send traffic to a single port and just 0.29% send traffic to more than 2 ports. This suggests that the traffic is seeking a specific vulnerability and that the audience for one weakness is totally different to the audience for another. Thus, monitoring a single port of interest and blocking offensive traffic is likely to offer little protection against nefarious activity on another port.
So what ports seem to be of interest? You’ll see below that the majority of traffic is concerned with very few ports.
A quick summary of what the tops ports do is as follows:
TCP 445 – Microsoft-DS Service. Used for amongst other things file sharing. A target of multiple worms.
TCP 135 – Microsoft Remote Procedure Call. Used by multiple worms.
TCP 1433 – Microsoft SQL Server.
TCP 3389 – Microsoft Remote Desktop (RDP). Remote administration of Windows machines.
TCP 22 – Secure shell (SSH). Remote administration of (usually) Linux machines.
If you haven’t worked it out already, over 88% of traffic appears to be seeking Microsoft-specific ‘features’. 88%!
The largest share of traffic would appear to be worms, seeking hosts to infect although the others should not be ignored. Penetration of SQL Server, Remote Desktop or SSH would very likely lead to a data breach or the loss of control of the host.
I think by now we can safely conclude that the majority of this traffic is far from innocent. But do keep in mind this is all received on IP addresses which are not in issue. It is therefore likely that every Internet connected host is seeing a similar pattern of traffic.
Finally we also process received Darknet traffic through our Intrusion Prevention Systems which highlight behaviour beyond that which a normal port-based firewall could be expected to detect. The results there were quite surprising with 54% of traffic being improper in some way. A third were what we’d term mid-flow, i.e. packets ostensibly part of a TCP conversation where the conversation hasn’t been set-up. Much of the remainder fail to complete the three-way handshake that would be required to initiate a TCP conversation and with scale would be characteristic of a SYN flood DDoS attack.
This initial analysis covers only a short period but there’s a few conclusions we can draw here:
The Darknet is unissued IP address space and the above findings suggest that any IP address should expect a similar level of nefarious traffic. No single address in the Darknet receives no traffic. This level of traffic is a baseline. For example, were it targeted at Simwood we would expect a much higher level of SIP traffic. In fact we see this on our production IP ranges but the low level here demonstrates the scatter-gun nature of this traffic and how it is a level of traffic that all addresses should expect as a minimum.
There are too many unique sources of traffic to block them manually and some form of automated blocking is required. Unique sources generally target one port/vulnerability so do not rely on the ports you monitor to offer insight to attacks on others.
If you have equipment on-line without a firewall blocking non-essential ports you are asking for trouble. Keep in mind that NAT is not a firewall. If you have Windows equipment on-line without a firewall then expect a career change.
If your traffic is non-global, blocking irrelevant sources can help. You may have legitimate users in areas you don’t expect but there will be a tipping point where the bad traffic far outweighs the bad.
Don’t be complacent about your firewall. Half the traffic we see would sail straight through many on open ports but is nevertheless improper and dangerous.
Finally, the reason we operate a Darknet is to learn and feed lessons back into our own security solutions. ThreatSTOP IP Reputation can tick many of the boxes above by offering geographic filtering and a continually updated list of approximately 5m addresses that you ought not exchange traffic with in. Our Darknet is a source of data for ThreatSTOP along with many other sources. Meanwhile, our comprehensive Security solution is responsible for detecting all of the traffic analysed above. It incorporates ThreatSTOP in a general form (i.e. you’ll still want your own if you want to geographically filter), network behavioural analysis and fully stateful firewall and IPS.
Please contact us if you’d like to discuss our findings or how we can help. If you’d be interested in more in-depth on going Darknet analysis or the use of our data in your own research, please also let us know.