[ale] [OT] Voicepulse question

Michael H. Warfield mhw at wittsend.com
Thu Dec 9 23:33:53 EST 2004


On Thu, Dec 09, 2004 at 05:16:35PM -0600, Aditya Srinivasan wrote:
> Micheal,

> On Thu, 9 Dec 2004, Michael H. Warfield wrote:

> > 	"Dark addresses" and "dark networks" are terms that are in use by
> > some of us and some of us (I for one) run dark networks.  These are also,
> > sometimes, referred to as "net telescopes".  They are addresses (public,
> > advertised, and fully routable) which have nothing on them and and configured
> > to not even return errors or ICMP returns.  Thus they are "dark" or "black
> > hole" addresses.  Packets route in, nothing ever comes back.  The largest
> > "dark network" I know of, for sure, is Cadia's /8 net telescope (mine
> > is a bit less than a /17).  These are what, at least in the security
> > community, are referred to as "dark addresses" or "dark networks".

> > 	I also have some addresses which are "grey".  They respond to
> > pings "ICMP ECHO request and reply" but everything else is black holed.
> > That's set up for "bump and bite" malware that likes to ping an address
> > first and then attempt to connect to a target.  But that's not as
> > much in common use as the term "dark net" or "dark address" to refer
> > to addresses which are totally black holed and totally dark.

> Thanks for the explanation. 

> What are dark nets used for, other than for keeping track of viruses/worms 
> that attempt to scan IP addresses and make connections.

	That can be quite sufficient.  But it's not just viruses and
worms and when you start to correlate the data with geographic data,
country codes, and asn's, things get interesting.  Sometimes, you
can track some of this down to points of origin or even correlate
attack vectors and seeding patterns.

	Sometimes you can track people doing really nefarious scans.
One chump a few years ago tried being stealthy by incrementing his
address scans in reverse octet order, so someone on a /24 only saw a
hit every few minutes.  Sometimes, when a vulnerability comes out, we
watch as some lowlifes start doing prescans, such as some resent mysql
activity.  Sometimes we can watch the battle bot nets get into shelling
matches (backscatter of resets and ICMP unreachables from spoofed
packets).  Sometimes we can detect and analyse activity relating to
stealthy communications channels and covert channels.  Sometimes we
watch the mass rooters cut loose on known backdoors and we get a
heads up that a new vuln and exploit is loose in the underground.

> Who funds this service ? And how do they profit ?

	I'm the Senior Researcher and Fellow on the X-Force and Internet
Security Systems.  Part of my job.  Part of what we do is intelligence
gathering and threat analysis.

	Others, it's part of academic research (Cadia).  Others, it's
government sponsored (some of the CERT research).  Others, like us,
it's part of their business.  Others, like me, it's an obsession...

> Thanks,
> sriad

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: not available




More information about the Ale mailing list