Passive Detection of Unsolicited Network Scans in Small ISP and
This project involves development of software to allow easy set up and
deployment of a ‘greynet’ for system administrators. Greynets passively
monitor selected unused IP addresses across an entire enterprise or ISP
network (, ), and should
be effective in quickly detecting network based attackers scanning
across an edge network’s IP address space looking for hosts to infect.
Network-borne host infections are a common precursor to the development
of zombies and botnets, from which much email (and other types of) spam
is launched. Early detection of infection attempts will assist in the
fight against spam.
This work is supported by a grant from the auDA Foundation
in December 2007. The auDA Foundation a charitable trust
established by .au Domain Administration Limited (auDA) to promote and
encourage education and research activities that will enhance the
utility of the Internet for the benefit of the Australian community.
We are pleased to announce the release of CAIA Greynets Toolkit 0.5.8
Network operators are continually challenged by the task of
defending their Internet Protocol (IP) networks from network based
attacks. Viruses and worms regularly probe large swathes of IP space,
looking for vulnerable hosts to infect and then build into the ‘zombie
farms’ and botnets from which much spam originates. We expect that
detection of pre-infection network probes will assist in the fight
against email (and similar) spam.
In the past few years network-layer darknets have
increasingly been explored as a means by which network administrators
can monitor for anomalous, externally sourced traffic. However, current
darknet designs require large, contiguous blocks of unused IP addresses
- not always feasible for operators of small ISP or enterprise networks.
We introduce the concept of a greynet - a region of IP
address space that is sparsely populated with darknet IP addresses
interspersed with active (or 'lit') IP addresses. Our project involves
development of software to allow easy set up, and deployment of, a
greynet network monitoring system. Greynets passively monitor selected
unused IP addresses across an entire enterprise or ISP network and have
been previously described and analysed in 
and . Greynets are effective in
detecting malware scanning across a network’s IP address space looking
for hosts to infect as a prelude to larger network attacks.
Our software will be implemented under FreeBSD, a stable and freely
available open-source unix-like operating system. Network
administrators will be able to deploy a greynet-based monitoring system
using our software and FreeBSD running on a garden-variety Pentium III
or Pentium 4 class PC. Our tool will monitor individual subnets on its
own, or multiple subnets concurrently when plugged into VLAN trunk
ports on an enterprise or ISP network’s core routers.
As part of this project we will develop and release
tools to assist in
data gathering and analysis, and publish interim
results and papers on
our website. The links above will take you to additional