davidu@everydns.net (David A.Ulevitch) writes:
I was wondering how many of you are running some sort of detection tool on "dark address" space on your network?
ooooh, ooooh, me!
In an effort to curb malicious outbound non-spoofed traffic from "owned" client machines I think one of the easiest methods we have is to look for scans in what should be dead space.
you're right.
The source-address spoofed traffic is easy to drop, the "legal" traffic is a bit more complex and I'm looking for non-inline methods of curbing this traffic.
since this space has no dns records pointing into it, the only traffic it will see is from errors/typo's, and network scanners. some scanners use pseudorandom selection, some are serial, but none are nonmalicious.
My questions are:
1) Are you doing this and if so, what tools are you using? Some sort of simple listening device with thresholds would probably do the trick if one machine monitored an entire /24 or some random /32's out of a /16.
in freebsd ipfw: pipe 1 config mask src-ip 0xffffffff buckets 32768 bw 10Mbit/sec pipe 1 ip from any to x.y..0.0/16 in fwd 127.0.0.2 ip from any to x.y.0.0/16 in "pipe 1" is just there for measurement purposes, and ddos prevention. the address i fwd it to is an extra loopback alias defined in rc.conf: ifconfig_lo0_alias0="inet 127.0.0.2 netmask 255.255.255.255" this box also runs zebra to inject this /16 into the local OSPF, which elsewhere triggers some router of jabley's to inject it into BGP. there are two listeners, both written locally, that are started in rc.local by scripts that look like this: while :; do ( src/httpk/i386/httpk -b reject-all.vix.com -t 3 -h 127.0.0.2 \ -s http -f endoftheline.html -l | tee tee | src/httpk/pgit.pl ) > log 2> err sleep 45 done and this: while :; do ( src/smtpk/smtpk -l 127.0.0.2 | tee tee | src/smtpk/pgit.pl ) > log 2> err sleep 2 done the "tee" file is sort of unreadable. for httpk it looks like this: src [209.148.235.157].3083; dst [149.20.195.105].80; Sat Apr 17 03:55:07 2004 GET / HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98) Host: 149.20.195.105 Connection: Keep-Alive whereas for smtpk it looks like this: Message-ID: <050048052046049053050046049057049046053049@5914ASDE.vicp.net> To: <queque_2@juno.com> From: angelupno@aol.com Subject: Hey, what's up? Date: Sun, 11 Apr 2004 13:47:24 -1900 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 [222.156.12.131] -> [204.152.191.0] none <67sedrftyg8017@ms56.hinet.net> \ (78) 1081855616.285020 <epschao@sogiant.twmail.net> -- the postgres databases thus populated are much prettier, as are the "log" files produced by the respective "pgit.pl" scripts.
2) What techniques seem to be better? Monitoring an entire /24 or picking a distributed selection of IPs from a /16? (using a /24 or /25 is much easier on the administrative end of things from where I sit...)
i've tried /24's and i've tried covering-routes for well populated /21's and the thing that works really the best is an unused research-purposes /16.
3) What sort of threshold metrics for considering something to be malicious have you found to be good? (ports/second, ip/second, etc)
the false positives are less than one in ten million. "blackhole 'em all."
4) Are there downsides to this (aside from false positives, which would hopefully be rare in truly dark address space).
it's a l-l-lotta d-d-data, m-m-man. otoh, between this and postprocessing my maillogs looking for wormspoor, i have a personal blackhole list with almost a million hosts on it now, and about 20% of the ones who probe my smtpk (which always accepts all mail you send it) later try to spam my main mail server (which is in a different netblock). i'd say i've learned quite a lot about how spammers and wormers work together nowadays. httpk=# select count(*) from trans where srcaddr<<='209.148.235.0/24'; count ------- 21 (1 row) ahhh, postgresql and its inet/cidr datatypes. (try 'em, you'll like 'em.) -- Paul Vixie