Greynets: Passive Detection of Unsolicited Network Scans in Small ISP and Enterprise networks

Introduction

This project involves development of software to allow easy set up and deployment of a ‘greynet’ for system administrators. Greynets passively monitor selected unused IP addresses across an entire enterprise or ISP network (
[1], [2]), and should be effective in quickly detecting network based attackers scanning across an edge network’s IP address space looking for hosts to infect. Network-borne host infections are a common precursor to the development of zombies and botnets, from which much email (and other types of) spam is launched. Early detection of infection attempts will assist in the fight against spam.

Acknowledgement

This work is supported by a grant from the auDA Foundation in December 2007. The auDA Foundation a charitable trust established by .au Domain Administration Limited (auDA) to promote and encourage education and research activities that will enhance the utility of the Internet for the benefit of the Australian community.

News

We are pleased to announce the release of CAIA Greynets Toolkit 0.5.8.

Background

Network operators are continually challenged by the task of defending their Internet Protocol (IP) networks from network based attacks. Viruses and worms regularly probe large swathes of IP space, looking for vulnerable hosts to infect and then build into the ‘zombie farms’ and botnets from which much spam originates. We expect that early detection of pre-infection network probes will assist in the fight against email (and similar) spam.

In the past few years network-layer darknets have increasingly been explored as a means by which network administrators can monitor for anomalous, externally sourced traffic. However, current darknet designs require large, contiguous blocks of unused IP addresses - not always feasible for operators of small ISP or enterprise networks.

We introduce the concept of a greynet - a region of IP address space that is sparsely populated with darknet IP addresses interspersed with active (or 'lit') IP addresses. Our project involves development of software to allow easy set up, and deployment of, a greynet network monitoring system. Greynets passively monitor selected unused IP addresses across an entire enterprise or ISP network and have been previously described and analysed in [1] and [2]. Greynets are effective in detecting malware scanning across a network’s IP address space looking for hosts to infect as a prelude to larger network attacks.

Our software will be implemented under FreeBSD, a stable and freely available open-source unix-like operating system. Network administrators will be able to deploy a greynet-based monitoring system using our software and FreeBSD running on a garden-variety Pentium III or Pentium 4 class PC. Our tool will monitor individual subnets on its own, or multiple subnets concurrently when plugged into VLAN trunk ports on an enterprise or ISP network’s core routers.

As part of this project we will develop and release tools to assist in data gathering and analysis, and publish interim results and papers on our website. The links above will take you to additional information.

Project Leader
Grenville Armitage

Project Members
Warren Harrop
Lucas Parry
Amiel Heyde





Last Updated: Monday 8-Dec-2008 10:29:07 EST | Maintained by: Amiel Heyde (amiel@swin.edu.au) | Authorised by: Grenville Armitage (garmitage@swin.edu.au)