The primary objective of the SISSDEN project is to offer National CERTs, ISPs and network owners free reports on malicious activity detected on their networks. One of the methods data is collected is through darknets, also known as network telescopes. Darknets are unused sets of IP addresses, which in theory should observe no traffic. In practice however a lot of traffic reaches such networks due to activities such Internet scanning, malware propagation or backscatter from spoofed DDoS events, meaning that these network packets can often be immediately classified as suspicious or malicious. Additional packet fingerprinting measures can be employed to attribute tools or malware sending out such packets.
In SISSDEN, darknets complement honeypots, which are the primary source of data collection. Although darknets do not offer as much depth on observed attack techniques as honeypots do, their scale which usually vastly exceeds honeypot installations can offer a lot of insight into many Internet phenomena. To illustrate the scale, in one darknet operated by SISSDEN of over 100k IP addresses we typically observe:
- about 25,000,000,000 packets per month,
- about 800,000,000 packets per day,
- about 550,000 packets per minute.
Darknets are a good source of information for the following:
- Detection and analysis of DoS attacks.
- Fingerprinting of DDoS mitigation techniques.
- Fingerprinting of actors/botnets responsible for specific attacks.
- Observation of massive scan campaigns (which may include 0-day exploitation attempts) and observations of responsible actors.
- Observation of botnets actions.
- Forecast exploitation campaigns (trend analysis).
- Detection of new signatures (Packet Generation Algorithm) in network traffic.
Events from one of the SISSDEN darknets are being sent out in reports in the format provided below. Most importantly, packet generation algorithms are employed to fingerprint incoming traffic and attribute it to specific malware families. Currently, this is being done for Mirai and Mirai-variant botnets.
Field | Description |
timestamp | Time that a packet was registered in UTC+0 |
ip | The source IP registered (IP of sender) |
port | Source port |
asn | ASN announcing the source IP |
geo | Country where the source IP resides |
region | State / Province / Administrative region where the source IP resides |
city | City where the source IP resides |
hostname | PTR record of the source IP |
type | Additional information on activity type |
dst_IP | Destination IP of the packet (ie. in the darknet) |
dst_port | Destination port |
dst_asn | ASN announcing the destination IP |
dst_geo | Country where the destination IP resides |
count | Packet count, if recorded |
naics | North American Industry Classification System Code of the source IP |
sic | Standard Industrial Classification System Code of the source IP |
dst_naics | North American Industry Classification System Code of the destination IP |
dst_sic | Standard Industrial Classification System Code of the destination IP |
sector | Sector the source IP belongs to |
dst_sector | Sector the destination IP belongs to |
family | Additional family classification of activity |
tag | Classification of activity eg. mirai-like |
public_source | Source of the data, for cases where the source accepts being credited |
As of the 31st of October 2018, the Darknet report has been included in Shadowserver's reports and is being sent to 92+ National CSIRTs and 4200+ network owners (including 1200+ in the EU) as part of the free daily victim remediation feeds, in easily parsable CSV format. Anonymized samples of the reports being sent out are available here. If you are a network owner or CSIRT and wish to receive reports from SISSDEN you can either subscribe directly to Shadowserver's feeds or do so through the SISSDEN Customer Portal, which was recently made available. Existing Shadowserver subscribers will receive the free Darknet report automatically on a daily basis.
This is the fifth SISSDEN report that is being sent out to the CSIRT community (and to all subscribed network owners) after the Amplificaton DDoS Victim (going out since 25th October 2018) ICS Scanner report (going out since the 20th September 2018), HTTP Scanner report (going out since 13th September 2018) and the Brute Force report which has been going out on a daily basis since April 2018.