The Darknet Mesh Project

The Darknet Mesh Project is a collaborative project between the Network Security Team at OUCS (OxCERT), and other security teams at UK universities to produce a collaborative means to detect and report on traffic hitting a collection of darknets

Motivations

For many years darknet setups have been a simple, effective and reliable way to detect hosts scanning ones address space. Selecting a small amount of address space within your own netblock was frequently sufficient to detect hosts within your network scanning the rest of your address space. The vast majority of systematic scanners began by scanning address space close to the IP address the infected host had been assigned.

More recently, one malware trend has been a shift away from systematic (and high volume) scanning of local address space towards slower, and more random scanning. This is far harder to spot, and is less likely to be detected on a single darknet (it will take a long time before the darknet IP happens to be picked by the malware).

One obvious way to mitigate this issue would be to use much larger address ranges for the darknet, and to use a non-contiguous address range. This is however not without problems, not least the scarcity of IPv4 address space, and the fact that an individual organisation is unlikely to have a large number of disjoint ranges that they can use. The darknet mesh project aims to address these issues by multiple organisations (in our case across the JANET community) collaborating to provide the visibility benefits of a large and disjoint darknet without making an unreasonable demand on either Public IPv4 address space, and without requiring large amounts of ongoing maintenance work by the participants

The Process

Participants within a darknet mesh must register, their address space in CIDR notation, and an alert email address. This data is then fetched by each participant within the mesh to determine what addresses should be monitored by the darknet code. The darknet mesh registration process does not require the set of darknets to be collected this is advantageous as this could be data that would be of benefit to malware authors in the event they became aware of it.

The darknet software is run on a system with the ability to see traffic flowing to the darknet address space. This could be via one or more of the following:

  • A fibre tap on a network to which the darknet is routed
  • A span port on a network to which the darknet is routed
  • An ethernet port on a host which is designated as the default route for the darknets (recommended)

    Once installed and configured, the script monitors for traffic from participating organisations, collects flows flowing to the darknet and emails the appropriate administrator for the network.

    Requirements

    The darknet monitor is written in perl, and depends on argus 3.0, it should run on any Unix alike system, but has been tested mainly on Debian Linux, Centos and SuSE. Packages for Debian, Centos/RHEL, and SuSE are available.

    Installation

    From Source

    Download the latest version of the project code, extract the tar file into a directory, and run

    make install
    . Edit /etc/darknet/mesh.cfg and /etc/darknet/addres_url to configure.

    From A Package

    Debian

    Add the following line to /etc/apt/sources.list:

    deb http://projects.oucs.ox.ac.uk/darknet/debian debian main

    Use your favourite apt front end to install the

    darknet-mesh
    package, edit /etc/darknet/mesh.cfg and /etc/darknet/address_url. You can download the package signing key, and it can be imported with:

    apt-key add dark-public.pgp

    RedHat

    RedHat RPMs are available, you can configure yum, or a similar tool to use this with the following:

    [darknet]
    name=darknet (OxCERT)
    baseurl=http://projects.oucs.ox.ac.uk/darknet/redhat
    gpgcheck=1

    PGP signing package signing keys for the project can be imported into rpm with:

    rpm --import rpm --import http://projects.oucs.ox.ac.uk/darknet/dark-public.pgp

    Setting up your own mesh

    At present, the darknet mesh we are running is targetted at Academic institutions within the UK. If you are from elsewhere, you may wish to run your own mesh to collect data. The process for doing so is very simple:

    • Configure a webserver to respond via https, and to accept certificate based authentication
    • Either: Configure an appropriate CA to sign certificates for users of the mesh, or set up password based authentication
    • Publish a list of address space in the form:
      192.168.0.1/22,address@example.com
      172.18.0.0/16,address2@example.com
      
    • Install the darknet mesh code onto your systems
    • configure the URL, by editing /etc/darknet/update-address
    • generate a certificate for the host and place it in /etc/darknet/crt, or put the username and password in /etc/darknet/pass