Workshop Summary
In the last decade, network telescopes have been used to observe unsolicited Internet traffic sent to unassigned address space. Network telescopes allow global visibility into and historical trend analysis of a wide range of security-related events, including scanning address space for vulnerable targets, random spoofed source denial-of-service attacks, the automated spread of malicious software such as Internet worms or viruses, and miscellaneous misconfigurations. Traffic destined to darkspace is evolving to include longer-duration, low-intensity events intended to establish and maintain botnets.
The goals of the workshop were to:
- introduce members of relatively small but also surprisingly disconnected community of darknet researchers;
- to inform participants about ongoing Network Telescope activities in various organizations; and
- to explore opportunities for and discuss appraoches to collaboration and data-sharing.
Common themes of the discussions included:
- automatic signature detection technology, for coordinating early detection of anomalous events on darknets around the world
- use of clustering (and why it isn't working)
- common s/w requirements and development vectors e.g., geolocation, breakdown by transport and network protocols, packet interarrival times
Research Needs
- how to share address space, as pressure mounts to turn over honeynet, through deflector nets or "monkey nets"
- announcing darknets from different locations at different times ("hotpotato honeynet")
- "Darkspace Construction and Maintenance" (FloCon2011 talk), which lit and unlit hosts to see how much traffic it attracts (lots)
Darkspace Operations
- using honeynet data to help infer reputation of IP addresses, correlated with other sources of blacklist data
Technology Applications
- WOMBAT: Worldwide Observatory of Malicious Behaviors and Attack Threats honeypots, crawlers, contextual analysis, annotation, data (WAPI) query interface allows correlation between distributed datasets
- Worldwide Intelligence Network Environment (WINE)
- Symantec's platform for vigorous experimentation methods for academics
- real world data: spam, malware, binaries in wild, DNS queries, etc.
- Must use data on site, code to data, mutual NDA with publication rights
- author keeps intellectual property
- community building activities: e.g., community wiki - annotated a databse of honeynets with which software they run and how they conduct risk assessment
- Open question: What should be made available from darknets on an operational basis, i.e, information about traffic coming in to allow researchers to trigger further collection?
Data Sharing and Community Building
Organizing committee
- kc claffy (CAIDA, UCSD)
- Nevil Brownlee (University of Auckland, New Zealand)
- Michael Bailey (University of Michigan)
Attendees
- Darren Shou (Symantec), Worldwide Intelligence Network Environment (WINE): Symantec's Data Sharing Program
- Vinod Yegneswaran (SRI), presentation on http://mtc.sri.com/ (dead link)
- Tanja Zseby (Fraunhofer FOKUS)
- Michael Pomraning (Qualys)
- Christopher Alfeld (Qualys)
- Corrado Leita (Symantec), WOMBAT: a Worldwide Observatory of Malicious Behaviors and Attack Threats
- Christos Papadopoulos (Colorado State University)
- Manish Karir (MERIT), 1.0.0.0/8 and Internet Pollution - Part 2
- kc claffy (CAIDA, UCSD)
- Nevil Brownlee (CAIDA), Network Telescope Data Analysis: IBR Monitoring
- Marina Fomenkov (CAIDA)
- Erin Kenneally (CAIDA, UCSD)
- Bradley Huffaker (CAIDA)
- Josh Polterock (CAIDA)