Darknet (network telescope) is an unused space of IP addresses, where normally we should observe no network traffic. However, it occurs that a lot of network packets can be observed, although no services or applications are available at these IP addresses. Origin of this network traffic can be usually divided into three categories: (1) misconfiguration of network devices/applications, (2) scanning activities, (3) backscatter from DoS attacks. According to this, we can observe a lot of interesting activities in this traffic. First of all, it is possible to track DoS victims (spoofed attacks). Secondly, we can observe trends in the scanning activities, thus allowing us to identify new threats and potential victims. We can also track scanning activity related to the amplified DRDoS attacks, which are probably the most destructive DoS attacks. Moreover, we are able to track activity of some botnets and as a result, we are collecting data about the infected devices, botnets' behavior and sometimes about their victims (DoS). I am observing NASK's darknet traffic for several months. Mean number of packets received per hour is is equal to 25 millions. On this basis, I would like to talk about activities seen in darknet, present some statistics concerning this traffic, show some case-studies concerning observed DoS attacks and describe botnet fingerprinting in this traffic.

1. Piotr Bazydło
Darknet traffic – what can we
learn from nooks and crannies
of the internet
Research and Academic Computer Network NASK
Work performed during SISSDEN project.

2. 
Often called as „network telescope”.

An unused (dark) space of IP addresses.

In theory, there should be no network traffic.
What is darknet?

5. In practice, we can see a lot of different packets:

Misconfiguration of network devices/applications.
What is darknet?

6. Misconfiguration

7. In practice, we can see a lot of different packets:

Misconfiguration of network devices/applications.

Scanning activities.
What is darknet?

8. Scanning

9. Scanning

10. In practice, we can see a lot of different packets:

Misconfiguration of network devices/applications.

Scanning activities.

Backscatter from DoS attacks.
What is darknet?

11. DoS backscatter

12. DoS backscatter

13. In practice, we can see a lot of different packets:

Misconfiguration of network devices/applications.

Scanning activities.

Backscatter from DoS attacks.

Exploitation attempts.
What is darknet?

14. Exploitation attempts

15. In practice, we can see a lot of different packets:

Misconfiguration of network devices/applications.

Scanning activities.

Backscatter from DoS attacks.

Exploitation attempts.

Weird and undefined stuff.
What is darknet?

16. Our darknet consists of more than 100 000 IP addresses.
Statistically, we:

Receive about 25 000 000 000 packets per month (80% of
packets are TCP packets).

What gives us about 800 000 000 packets per day.

And more than 500 000 of packets per minute.
Some numbers

17. 
How to group these packets?

How to analyze them?

How to classify them into events?

How to define whether event is interesting or not?

How to fingerprint responsible actors?
Problems

18. 
Detect and analyze DoS attacks.

Fingerprint actors/botnets responsible for specific attacks.

Observe massive scan campaigns and observe responsible actors.

Observe botnets actions.

Forecast exploitation campaigns and even 0-day exploits.

Detect new signatures (Packet Generation Algorithm) in network
traffic.

And other related actions.
Okay, so what can we do with this traffic?

19. Geographical distribution of packets

21. Packets with
SEQ = IP_DST

25. Let’s fingerprint!
In total, about 45 000 unique IP addresses were fingerprinted (IoC).

28. Change of tactics
We can see that Satori has started to exploit different ports/devices.

29. Memcached

30. Memcached
Github 1.3
Tbps DoS

31. Memcached
Github 1.3
Tbps DoS Reported 1.7
Tbps DoS

32. Memcached
Github 1.3
Tbps DoS Reported 1.7
Tbps DoS

33. Day 1 – 20.02 (patient zero?)

Only 3 IP addresses – all located in the UK.

All 3 IP addresses within the same host – DigitalOcean.

Whole scan lasted about 25 minutes.

Only two source ports used (34860 and 43493).

One payload used (stats slabs with some additions).

34. Day 4 – 23.02

Only 2 IP addresses – UK and Singapore.

UK IP – the same as on 20.02.

Singapore ASN: Alibaba (China) Technology Co., Ltd.

Only two source ports used (34765 and 45931).

Guess what – still the same payload for both IP addresses.

Conclusion – we are probably still dealing with the single
actor.

35. Day 5 – 24.02 (new kid on the block?)

Only 1 IP addresses – USA.

ASN: AS27176 DataWagon LLC.

Source ports seems to be randomized.

New payload has been used.

Scan lasted longer (about 3 hours).

Looks like we have a new actor.

36. And so on… Pre-github scanners.

About 60 IP addresses.

Several scanning patterns.

37. After github DoS scanners.

About 315 IP addresses.

Multiple different scanning
patterns.

38. How can we define patterns?

Unique payloads types.

Unique source ports generation scheme.

Pairs of characteristics eg. source ports→ payload→
timeline.

And others.

39. How can we defined patterns?

40. How can we defined patterns?

41. Source Port = 22122

One IP from France.

ASN: AS12876 Online S.a.s.

42. Source Port = 11211

56 IPs from USA.

ASN: AS10439 CariNet

Pretty well organized (scan
performed by many IPs).

The same payload.

43. Telegram ban in Russia

44. Indeed – it’s a hit - source port 443

45. ACK mitigation technique?

46. Russian watchodg - another attack

On 19.04 – another attack.

Still SYN FLOOD and ACK mitigation technique.

However, we have received ICMP packets signalizing ACK
FLOOD.

Destination Port = 0

SEQ[3:4] = 0 AND ACK[3:4] = 0

47. PGA

Packet Generation Algorithm (firstly mentioned by 360Netlab).

Tools and malware often utilize different PGA in order to
simplify/fasten packet generation procedure.

We have developed tool for the automatic detection of various
PGA signatures.

Usually, based on some simple operations (bytes swaping,
incrementation, values hardcoding and others).

Usually seen during scanning or DoSing actions. However, PGA was
also spotted during C2 communication.

48. PGA

49. Why even bother?

Let’s compare SYN FLOOD packet
generation, while using legit PGA
and XoR.DDoS botnet PGA.

XoR.DDoS PGA:

IP_ID = SPORT,

SEQ[1:2] = IP_ID.

50. Why even bother?

Let’s compare SYN FLOOD packet
generation, while using legit PGA
and XoR.DDoS botnet PGA.

XoR.DDoS PGA:

IP_ID = SPORT,

SEQ[1:2] = IP_ID.
Assuming botnet with 100 000 machines:
2 400 000 more packets per second!

51. Mirai – ingenious scanning

SEQ = DST_IP

Faster.

Doesn’t have to store information about sent packets, as it can
only compare IP and ACK of incoming packet.

52. Is XoR.DDoS easily traceable?

Not really, as in SYN-ACK packets we lose information about
IP_ID used in PGA.

We can compare DPORT and ACK in SYN-ACK packets.

However, we sometimes receive ICMP packets with spoofed
packet included in the payload – in this case, we can identify
whole signature.

53. Signatures everywhere
SYN FLOOD on IP belonging to Google – full of PGA signatures.

54. Signatures everywhere
SYN FLOOD on IP belonging to Google – full of PGA signatures.
1. SPORT = SEQ[1:2]
2. SEQ[3:4] = 0xFFFF
3. SPORT = IP_SRC[3:4]
1
2 3

55. Summary

Darknet is great, but it has its limitations.

We are observing a lot of different attacks, malicious activities
and botnets.

We are especially interested in linking PGA signatures to
particular malware or tools.

Results from darknet traffic analysis + data from other sources
(sandboxes, honeypots and others) = a lot of operational info!

56. Other people involved in the presented work:
Adrian Korczak (NASK) - development.
Mateusz Goniprowski (NASK) – development.
Krzysztof Lasota – consultations.
Paweł Pawliński (CERT PL/NASK) – consultations.
360Netlab – PGA idea and intelligence.

57. This project has received funding from the European Union’s Horizon 2020 research and
innovation programme under grant agreement No 700176.
Thank you for your attention.
Twitter: @chudyPB
https://sissden.eu/blog
SISSDEN