-
January 24th, 2006, 08:50 PM
#1
Darknet
I scanned and searched, and didn't find anything previous on this topic. I've run across information on using a "darknet" in place of, or in addition to, an IDS or other network protections. The project is described in this link:
http://www.cymru.com/Darknet/index.html#comments
Has anyone set up and run one? What success have you had with it? Mostly, looking for some real-world validation that I can take to the rest of the crew at some point. The idea sounds good and may be a more "proactive" solution. I hate that word, but the concept is good.
-
January 25th, 2006, 04:41 PM
#2
Junior Member
From reading the introduction I didn't really understand the point of it, just seems like introducing another layer of the network to filter out a bit more of the rubbish?
-
January 25th, 2006, 05:27 PM
#3
This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.
This almost sounds like a honey pot to me.
With a Darknet in place, it is far easier to determine the amount of naughty traffic on a network, as well as the sources of said traffic.
And with this little snit bit it seems like a darknet is more for analysis and forensics than actual prevention.
\"He who shall introduce into public affairs the principles of primitive Christianity will change the face of the world.\"
Benjamin Franklin
-
January 25th, 2006, 07:37 PM
#4
Yes, it seems like a honeypot, but from the description and configuration, there should be no traffic to speak of on the net (thus dark net) unless it is malicious?
Anyway, I was hoping that someone here may have attempted to implement this and has some real world experience to share.
-
January 26th, 2006, 11:32 AM
#5
I attempted this once but it wasn't very usefull to me, i think you need a fair size network.
I guess on my small network at the time i just wasn't getting that many viruses or anything
else that could trigger a lot of traffic hitting the "darknet" part. Anyway it was a little different
setup then this one but i suppouse it worked similar to this.
----------------------------------------------------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford
-
January 26th, 2006, 01:54 PM
#6
I can see a _serious_ issue with the concept of a darknet... complacency...
A dark net will alert you to noisy, badly written malware intent on mayhem. I would suggest that with the influx of organized crime and simple individuals trying to commit crimes the current trend is away from such malware and more towards malware that fulfils it's purpose without noise. This malware will be specifically targetted and will only "speak" to specific assets in a specific way. It will not sit there shouting it's presence at anyone who wishes to put a sniffer on his network.
That spiffy new darknet you just implemented will not see this malware.... But it's far more costly to you than the mayhem intended malware.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 26th, 2006, 06:33 PM
#7
Thanks for that perspective, TS. That helps a lot. I noticed that the dates on the documents were a couple years old.
Hmmm ... so, even the recon traffic would not be seen in the darknet with the current type of malware and attacks?
That's kind of what I was hoping to see if this was implemented, kind of as an early warning system.
I'm not thinking of putting all the eggs in this basket, just so ya know. I thought it might be a good addition to the full range of detections we're planning.
-
January 26th, 2006, 06:40 PM
#8
It's going to catch the stuff that recons... That's the basic, mayhem intended stuff.... The costly stuff won't recon.. It's not intended for mayhem... Think of it like this:-
Mayhem malware = An armored division
Costly malware = SEAL team infiltrating enemy lines
Which is easier to find?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
January 26th, 2006, 07:00 PM
#9
Excellent point.
That's how you explain things to me. As an old tread-head, I understand armored division.
-
January 26th, 2006, 07:01 PM
#10
LOL... Whatever works...
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|