Darknet (network telescope) is an unused space of IP addresses, where normally we should observe no network traffic. However, it occurs that a lot of network packets can be observed, although no services or applications are available at these IP addresses. Origin of this network traffic can be usually divided into three categories: (1) misconfiguration of network devices/applications, (2) scanning activities, (3) backscatter from DoS attacks. According to this, we can observe a lot of interesting activities in this traffic. First of all, it is possible to track DoS victims (spoofed attacks). Secondly, we can observe trends in the scanning activities, thus allowing us to identify new threats and potential victims. We can also track scanning activity related to the amplified DRDoS attacks, which are probably the most destructive DoS attacks. Moreover, we are able to track activity of some botnets and as a result, we are collecting data about the infected devices, botnets' behavior and sometimes about their victims (DoS). I am observing NASK's darknet traffic for several months. Mean number of packets received per hour is is equal to 25 millions. On this basis, I would like to talk about activities seen in darknet, present some statistics concerning this traffic, show some case-studies concerning observed DoS attacks and describe botnet fingerprinting in this traffic.
CONFidence 2018: Darknet traffic - what can we learn from nooks and crannies of the internet? (Piotr Bazydło)
1. Piotr Bazydło
Darknet traffic – what can we
learn from nooks and crannies
of the internet
Research and Academic Computer Network NASK
Work performed during SISSDEN project.
2.
Often called as „network telescope”.
An unused (dark) space of IP addresses.
In theory, there should be no network traffic.
What is darknet?
3.
4.
5. In practice, we can see a lot of different packets:
Misconfiguration of network devices/applications.
What is darknet?
10. In practice, we can see a lot of different packets:
Misconfiguration of network devices/applications.
Scanning activities.
Backscatter from DoS attacks.
What is darknet?
13. In practice, we can see a lot of different packets:
Misconfiguration of network devices/applications.
Scanning activities.
Backscatter from DoS attacks.
Exploitation attempts.
What is darknet?
15. In practice, we can see a lot of different packets:
Misconfiguration of network devices/applications.
Scanning activities.
Backscatter from DoS attacks.
Exploitation attempts.
Weird and undefined stuff.
What is darknet?
16. Our darknet consists of more than 100 000 IP addresses.
Statistically, we:
Receive about 25 000 000 000 packets per month (80% of
packets are TCP packets).
What gives us about 800 000 000 packets per day.
And more than 500 000 of packets per minute.
Some numbers
17.
How to group these packets?
How to analyze them?
How to classify them into events?
How to define whether event is interesting or not?
How to fingerprint responsible actors?
Problems
18.
Detect and analyze DoS attacks.
Fingerprint actors/botnets responsible for specific attacks.
Observe massive scan campaigns and observe responsible actors.
Observe botnets actions.
Forecast exploitation campaigns and even 0-day exploits.
Detect new signatures (Packet Generation Algorithm) in network
traffic.
And other related actions.
Okay, so what can we do with this traffic?
33. Day 1 – 20.02 (patient zero?)
Only 3 IP addresses – all located in the UK.
All 3 IP addresses within the same host – DigitalOcean.
Whole scan lasted about 25 minutes.
Only two source ports used (34860 and 43493).
One payload used (stats slabs with some additions).
34. Day 4 – 23.02
Only 2 IP addresses – UK and Singapore.
UK IP – the same as on 20.02.
Singapore ASN: Alibaba (China) Technology Co., Ltd.
Only two source ports used (34765 and 45931).
Guess what – still the same payload for both IP addresses.
Conclusion – we are probably still dealing with the single
actor.
35. Day 5 – 24.02 (new kid on the block?)
Only 1 IP addresses – USA.
ASN: AS27176 DataWagon LLC.
Source ports seems to be randomized.
New payload has been used.
Scan lasted longer (about 3 hours).
Looks like we have a new actor.
36. And so on… Pre-github scanners.
About 60 IP addresses.
Several scanning patterns.
37. After github DoS scanners.
About 315 IP addresses.
Multiple different scanning
patterns.
38. How can we define patterns?
Unique payloads types.
Unique source ports generation scheme.
Pairs of characteristics eg. source ports→ payload→
timeline.
And others.
46. Russian watchodg - another attack
On 19.04 – another attack.
Still SYN FLOOD and ACK mitigation technique.
However, we have received ICMP packets signalizing ACK
FLOOD.
Destination Port = 0
SEQ[3:4] = 0 AND ACK[3:4] = 0
47. PGA
Packet Generation Algorithm (firstly mentioned by 360Netlab).
Tools and malware often utilize different PGA in order to
simplify/fasten packet generation procedure.
We have developed tool for the automatic detection of various
PGA signatures.
Usually, based on some simple operations (bytes swaping,
incrementation, values hardcoding and others).
Usually seen during scanning or DoSing actions. However, PGA was
also spotted during C2 communication.
49. Why even bother?
Let’s compare SYN FLOOD packet
generation, while using legit PGA
and XoR.DDoS botnet PGA.
XoR.DDoS PGA:
IP_ID = SPORT,
SEQ[1:2] = IP_ID.
50. Why even bother?
Let’s compare SYN FLOOD packet
generation, while using legit PGA
and XoR.DDoS botnet PGA.
XoR.DDoS PGA:
IP_ID = SPORT,
SEQ[1:2] = IP_ID.
Assuming botnet with 100 000 machines:
2 400 000 more packets per second!
51. Mirai – ingenious scanning
SEQ = DST_IP
Faster.
Doesn’t have to store information about sent packets, as it can
only compare IP and ACK of incoming packet.
52. Is XoR.DDoS easily traceable?
Not really, as in SYN-ACK packets we lose information about
IP_ID used in PGA.
We can compare DPORT and ACK in SYN-ACK packets.
However, we sometimes receive ICMP packets with spoofed
packet included in the payload – in this case, we can identify
whole signature.
54. Signatures everywhere
SYN FLOOD on IP belonging to Google – full of PGA signatures.
1. SPORT = SEQ[1:2]
2. SEQ[3:4] = 0xFFFF
3. SPORT = IP_SRC[3:4]
1
2 3
55. Summary
Darknet is great, but it has its limitations.
We are observing a lot of different attacks, malicious activities
and botnets.
We are especially interested in linking PGA signatures to
particular malware or tools.
Results from darknet traffic analysis + data from other sources
(sandboxes, honeypots and others) = a lot of operational info!
56. Other people involved in the presented work:
Adrian Korczak (NASK) - development.
Mateusz Goniprowski (NASK) – development.
Krzysztof Lasota – consultations.
Paweł Pawliński (CERT PL/NASK) – consultations.
360Netlab – PGA idea and intelligence.
57. This project has received funding from the European Union’s Horizon 2020 research and
innovation programme under grant agreement No 700176.
Thank you for your attention.
Twitter: @chudyPB
https://sissden.eu/blog
SISSDEN