Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.

Slides:



Advertisements
Similar presentations
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC
Advertisements

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Network Measurements: Unused IP address space traffic analysis at SSSUP Campus Network Francesco Paolucci, Piero Castoldi Research Unit at Scuola Superiore.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.
Introduction to Security Computer Networks Computer Networks Term B10.
1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.
Network Security Testing Techniques Presented By:- Sachin Vador.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Website Hardening HUIT IT Security | Sep
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Incident Handling and Response Breakout Overview.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Security Professionals Conference May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within.
Security: New Trends, New Issues Internet2 Fall Member Meeting 2004 Doug Pearson Indiana University Research and Education Networking ISAC
CERN’s Computer Security Challenge
INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.
Internet Drivers License CSS411/BIS421 Computing Technology & Public Policy Mark Kochanski Spring 2010.
SALSA-NetAuth Joint Techs Vancouver, BC July 2005.
A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Salsa Bits: A few things that the analysts aren't talking about... December 2006.
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Presented By: Arun Krishnamurthy Authors: Michael Bailey, Evan Cooke, Farnam Jahanian,
Office of Campus Information Security Incident Response Briefing Jeffrey Savoy, CISSP.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University
1 Commonwealth Security Information Resource Center Michael Watson Security Incident Management Director 10/17/2008
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
NSF Cybersecuity Summit May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC
1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.
Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Role Of Network IDS in Network Perimeter Defense.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center Doug Pearson REN-ISAC Director Internet2 Security WG BoF October 14,
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
The Internet Motion Sensor: A Distributed Blackhole Monitoring System Authors: Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
CompTIA Security+ Study Guide (SY0-401)
Port Knocking Benjamin DiYanni.
Backdoor Attacks.
Firewalls.
Security in Networking
CompTIA Security+ Study Guide (SY0-401)
Information Security Session October 24, 2005
* Essential Network Security Book Slides.
Chapter 4: Protecting the Organization
Firewalls Jiang Long Spring 2002.
دیواره ی آتش.
Counter APT Counter APT HUNT operations combine best of breed endpoint detection response technology with an experienced cadre of cybersecurity experts.
6. Application Software Security
AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.
Presentation transcript:

Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC

REN-ISAC Is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; is specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks; and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

REN-ISAC Activities A vetted trust community for R&E cybersecurity Information-sharing and communications channels Information products aimed at protection and response Participation in mitigation communities Incident response 24x7 Watch Desk ( ) Improvement of R&E security posture Research & Education Cybersecurity Contact Registry Security work in specific communities Participate in other higher education and national efforts for cyber infrastructure protection

REN-ISAC Membership A trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection, specifically designed to support the unique environment and needs of higher education and research organizations. Membership is oriented to permanent staff with organization-wide responsibility for cybersecurity protection or response at an institution of higher education, teaching hospital, research and education network provider, or government-funded research organization.

Certain Threats Certain types of worms and attacks scan the network for vulnerable hosts to infect, e.g. –Blaster exploited MS DCOM RPC on TCP/135 –Veritas Backup Exec vulnerabilities via TCP/6101 –Weak MySQL root user passwords via TCP/3306 –And many, many more! TCP/3306 sources seen Jan 2005 after introduction of a bot scanning for weak MySQL root user pass

Darknet Is a type of network security sensor used to detect scanning systems. A darknet collector listens to one or more blocks of routed, allocated, but unused IP address space and records in the incoming traffic. Because the IP space is unused (hence "dark") there should be very little legitimate traffic entering the darknet. But, as it turns out, a good deal of traffic enters darknets, mostly coming from malware and attack reconnaissance, such as worms and bots scanning for new systems to infect, automated scanning for SSH servers on which to conduct password attacks, etc.

Darknet A darknet is a very useful security tool – worm and other malware infected systems can be positively identified by source IP address and then referred for isolation and remediation. Several universities use a darknet in conjunction with other protection methods. Darknets can be fairly simple to set up and operate and provide useful results. Some guides to darknets: –Team Cymru Darknet Project –Internet Motion Sensor Project

Darknets REN-ISAC operates a darknet, and: –sends notifications of observed scanning sources, aka infected systems, to the security contact at the source-owning institution, –uses the darknet to monitor for new or changing behaviors – i.e. situational awareness, and –provides statistics of activity observed in the darknet to its members via the Daily Weather Report.

Sample Daily Notification

Shared Darknet Project A development effort of the SALSA CSI2 activity – The aim is to develop a wide-aperture, powerful network security sensor that will directly serve higher- education and research institutions, and indirectly serve Internet users at large. To participate in the Shared Darknet Project, institutions who run darknets send their collector data (only the hits from outside their institution) to REN- ISAC. The data is analyzed to identify compromised machines by IP address, destination ports involved, the number of "hits" seen, and timestamps of the activity.

Shared Darknet Project REN-ISAC sends notifications of R&E compromised machines directly to the security contacts at the institution that owns the source address, and REN-ISAC sends reports to its members containing information about about trends and new activity seen in the Shared Darknet sensor space. Notifications are sent to R&E sources regardless of whether the institution is a participant in the Shared Darknet Project or not, and Notifications of non-R&E sources are forwarded in aggregate to related private network security collaborations on a best-effort basis.

Shared Darknet Project - Benefits Wide aperture (large amount of IP address space widely distributed) = a more powerful sensor than a standalone system. Resilient to counterintelligence = difficult for miscreants to identify and intentionally avoid the darknet. Combined brainpower. An excellent picture of what’s affecting R&E. Will enable substantial progress in combating worms and other malicious activity that relies on scanning for vulnerable systems.

Shared Darknet Project - Why One lonely /16 darknet in the entire IPv4 space, (actually the /16 line should be ~10x skinnier!) versus a Shared Darknet Project

Policy Anticipate lightweight policy considerations: –these are unsolicited scans of your network resources after all, –don’t have to deal with payload, –institutions keep the hits from their local sources to themselves and only share hits coming from external sources, and –information is shared within established trust communities. Developing a lightweight participation MOU.

Phase X / Related Project RENIOR – Research and Education Networking Operational Information Retrieval –A development effort of the SALSA CSI2 activity Led by WPI / Phil Deneault –RENOIR utilizes standards-based methods (e.g. IODEF and work of the IETF INCH Working Group) to provide an inter-institutional incident information exchange implemented within a trust community, and provides methods for organizing and correlating units of related information into synoptic incident views.

RENOIRRegistry AAA Shared Darknet Project RENOIR and the SDP

R&D and Opportunity Areas Trend analysis - best techniques and methods Noise reduction, e.g. noise from P2P NAT and firewall traversal methods New ways of representing of results –e.g. Payload analysis

Interested to Participate? As a SDP site or in R&D and Opportunity areas… Anticipate May start-up of pilot sites See me –Doug Pearson, or –Chris Misra, Also –Join the REN-ISAC darknet discussion mailing list (open to REN-ISAC members); send to:

Contacts Research and Education Networking ISAC 24x7 Watch Desk: +1(317) Membership: Doug Pearson

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.