worm blog: your very own dark IP monitor

« usenix security 2004 papers | Main | cellphone worm finally arrives »

your very own dark IP monitor

the guys at team cymru have posted instructions on building your own darknet sensor using freebsd. it even made slashdot one day. they construct flows using argus but could easily get flows from their router (and collect them with flow-tools, cFlowd, or SiLK tools). you could also do this with linux, openbsd, or your favorite UN*X variant.

the trick isn't in the construction, by the way, it's in the data analysis. and sadly they provide little in terms of how to analyze the data. you're left with an exercise, but there's no reason you couldn't implement some of the techniques for data analysis listed by projects like iSink, the IMS, or others.

i covered a lot of this already in my worms book. basically the whole concept of Dark IP, blackhole, or darknet space is a powerful monitor into your network. if you run a large network you can shunt off unused portions to a single collection system. if you're a home user (ie broadband) you have fewer possibilities, but you still have a few. bear in mind the larger the network you monitor the more data you collect and the harder your analysis becomes. i found that a combination of tools which distills the data in a near real-time fashion is the best approach. otherwise you spend too much time trying to dig back through old data and make sense of it. hence ... my involvement in projects like the IMS. hopefully our papers will be accepted at conferences and you can see the architectural details. plus i get a chance to test some algorithms i developed to detect and classify traffic.

June 9, 2004 in tools | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

well,there is lots of 'flow tools' out there but little of 'what does that mean' ie: especially on correlation.

Posted by: myhosus | Jun 11, 2004 3:05:32 AM

oh, sorry. flow-tools is the name of a set of tools to read and store NetFlow data. the tools were written at OSU: http://www.splintered.net/sw/flow-tools/

correlation is another thing entirely, and is the subject of active research by me and many others (working with me or with different teams). i cover it somewhat in my worm book, but here are some additional papers to get you thinking about this:

http://www.cc.gatech.edu/people/home/xinzhou/TR_CoC_04.pdf

http://berkeley.intel-research.net/bnc/papers/netbait.pdf

http://people.ists.dartmouth.edu/~vberk/papers/iwia03.pdf

http://scholar.lib.vt.edu/theses/available/etd-05182004-085925/unrestricted/etd-last.pdf

once i get a few minutes to write up my thoughts on this area of reseatch i'll try to. in the mean time, enjoy!

Posted by: jose | Jun 11, 2004 1:18:03 PM

well,I had read a lot of papers about the IMS.Sure,they provide little in terms of how to analyze the data.There is 'i found that a combination of tools which distills the data in a near real-time fashion is the best approach. 'there. But what are the tools and how? Would you please talk about it?
And how to identify the efficiency of a system detecting worms?The fail positive rate,the fail negative rate,etc...

Posted by: gongzixb | Jun 15, 2006 6:38:46 AM

Dark IP traffic is something interesting to me now that we have peakflow in production. I seem to be finding it hard to get more basic information on what to look for etc when this event is triggered. It seems that some people are actually using the space for semi-legit purposes. Can you give some more insight into how you feel darknet sensors can assist in finding and killing worms. What types of patterns should people be looking for?

Posted by: sp00f | Jul 7, 2006 9:08:41 AM

Why the Dark IP comes into picture, What is the major use? why do we need dark IP?

Whats the capability it has since its not existing in a network? even its not going to be ping how come this IP as useful.

Please anyone, I am not offend you, I just wanna to know exact concept in it.

Posted by: Kishore Kumar | May 30, 2007 5:46:37 AM

Good post!!!
Know more about IP monitor tools which delivers out-of-the-box, up/down network monitoring that’s perfect for keeping up with your network devices, servers, and applications.Also It Quickly discovers network devices and automatically recommends SmartMonitor settings – making the setup process simple and fast.
check it at
http://www.solarwinds.com

Posted by: Prabhdeep | Jun 8, 2010 4:22:52 AM

The comments to this entry are closed.