Tracking compromised machines can be difficult. Security solutions
often don't scale to the size of larger networks. Technologies such
as IDS are flawed, producing copious false positives. When solutions
are scaled to fit the larger providers, they often require
considerable care and feeding, thus taking time away from problem
mitigation. There must be a better way!
Enter the Darknet! A Darknet is a portion of routed, allocated IP
space in which no active services or servers reside. These are "dark"
because there is, seemingly, nothing within these networks.
A Darknet does in fact include at least one server, designed as a
packet vacuum. This server gathers the packets and flows that enter
the Darknet, useful for real-time analysis or post-event network
forensics.
Any packet that enters a Darknet is by its presence aberrant. No
legitimate packets should be sent to a Darknet. Such packets may have
arrived by mistake or misconfiguration, but the majority of such
packets are sent by malware. This malware, actively scanning for
vulnerable devices, will send packets into the Darknet, and this is
exactly what we want.
Darknets have multiple uses. These can be used to host flow
collectors, backscatter detectors, packet sniffers, and IDS boxes.
The elegance of the Darknet is that it cuts down considerably on the
false positives for any device or technology.
The goals of the Darknet are simple - to increase awareness, and to
ease mitigation. With a Darknet in place, it is far easier to
determine the amount of naughty traffic on a network, as well as the
sources of said traffic.
[continues at the above URL ..]
---
* Origin: [adminz] tech, security, support (192:168/0.2)
generated by msg2page 0.06 on Jul 21, 2006 at 19:04:02