Proposal Guidelines Archives Information Security Glossary Catalog InfoSecurityNetBASE Auerbach Publications Information Systems Security
Auerbach Publications

Darknets: Security's Bright Future

Michael Smith

Despite mature technologies such as firewalls, intrusion detection and prevention systems, and antivirus, maintaining the security of large and complex networks is far more difficult than it was 10 years ago. Threat volume is rising, propagation speed is increasing, and attacks are becoming more elusive. Tracking compromised systems is also challenging, and actually mitigating problems often appears impossible.

At the same time, user expectations and competitive business needs are greater than ever regarding interoperability, connectivity, and immediate access to data.

Needless to say, some might argue that the future of IT security management looks less than bright.

With the security threat landscape changing on a daily basis, IT requires more innovative ways to complement their traditional approach to gathering threat intelligence. And, ironically, security's bright side may be on the "dark" side.

The Darknet

A growing number of organizations are leveraging darknets to increase their security intelligence and, in turn, enhance their security posture. In its simplest definition, a darknet is an area of routed IP address space in which no active services reside. While traditionally every client, server, and network device has a unique IP address for each network connection, a darknet is comprised of a range of addresses for which there are no associated valid services or hosts. Thus, the network is "dark."

What makes a darknet a powerful security tool is that, after initial tuning, any traffic entering it from any source is most likely hostile. In contrast to a traditional network setup, wherein legitimate IP packets are routed to legitimate destination IP addresses and from legitimate source IP addresses, no legitimate packets should be sent to or from a darknet. Although some packets may enter as the result of misconfiguration, the majority are likely sent by malware that scans for vulnerable devices with open ports in order to download, launch, and propagate malicious code.

With the use of darknets, security administrators can spot scanning activity without using complicated analysis technology committing already overburdened resources, and, with a reduced occurrence of false positives. By significantly reducing the effort to analyze traffic, and at the same time improving intelligence gathering, darknets are an efficient tool for providing organizations critical information to help them protect the security and availability of their information assets.

Public Projects

One of the easiest ways for organizations to reap the benefits of a darknet is to participate in any one of a number of public darknet projects. These projects include Among the most well known the Cooperative Association for Internet Data Analysis, or CAIDA, headquartered at the San Diego Supercomputing Center, an extension of the University of California at San Diego; the Team Cymru Darknet Project, a corporation of geographically dispersed technologists interested in making the Internet more secure; and the Internet Motion Sensor project of the University of Michigan, headquartered in Ann Arbor, Michigan.

These public darknets measure, characterize, and track the traffic that enters the globally routable unused address space they are monitoring. A variety of providers, enterprises, and academic institutions participate in these efforts, offering resources, deploying sensors, and sharing captured data.

In turn, the project providers keep participants updated regarding emerging threats such as worms, network scanning activities, botnets, denial of service attacks, and more. This enables security administrators to proactively protect their own networks by putting in place the mechanisms to identify and mitigate those threats. A participant organization that receives a report on botnet controllers, for example, can check his or her organization's firewall logs to determine whether hosts on their internal network are communicating with any botnet controllers and leverage that intelligence to put appropriate countermeasures in place.

Private Darknets

Mid-sized to large organizations can also benefit from implementing their own private darknet. The greater the number of users is in an enterprise, the more devices administrators have to manage, and the greater the need is for safer, faster, and more reliable network traffic analysis. With a private darknet, organizations can quickly differentiate between legitimate and malicious traffic on their networks.

This practice can be especially useful for organizations that communicate regularly with international partners. For these organizations, it is not an option to block all traffic from specific source countries in order to reduce their security risk; with online business activities traversing the globe, international enterprises must remain accessible to partners and associates regardless of their location. Darknets provide a tool for allowing authorized connections from around the globe while also singling out unauthorized connection attempts from any source, near or far.

However, before organizations invest in a private darknet, they must have a proven test environment in place. Once space is allocated in this test environment, the organization can distribute known bad traffic to ensure it reaches the darknet test environment and that security administrators understand what to do with that data.

When the test period is complete, the organization can then identify the unused network space to be allocated to the darknet, monitor it for a period of time to ensure it is not being used, then, if necessary, implement network changes to make sure no legitimate traffic is routed to that space. A collector must also be set up within the darknet that captures any traffic that enters. To further streamline intelligence gathering, organizations may choose to write scripts that automatically respond to certain conditions-for example, sending an SMS message to the security administrator should a known worm appear or suspicious activity occur. Organizations that have security measurement requirements might also consider archiving traffic that is captured by the darknet and storing it in a database for use in supplementing reports from their more traditional security devices.

Today's darknets offer organizations a powerful complement to traditional security solutions by providing advanced security intelligence with minimal effort and maximum impact.

About the Author
Michael Smith is senior manager with Symantec Global Services.

© Copyright 2007 Auerbach Publications