5 min read

A New Spin on Honeynets

'Darknets' use large blocks of allocated IP addresses to monitor dubious activity and traffic

Darknets, honeynets: When do you use one or the other? A darknet, allocated but unused IP address space that ISPs and large enterprises have in reserve, is increasingly becoming a useful tool for catching attacks early.

Darknets have been getting more attention lately, with Arbor Networks Inc. 's new Atlas service, for instance, which uses a combination of honeypots, honeynets, and its PeakFlow IPS products to analyze activity around darknets. Organizations such as CAIDA (Cooperative Association for Internet Data Analysis), the University of Michigan, and the University of Wisconsin, also use darknet analysis to track denial-of-service attacks, botnet traffic, and other types of suspicious traffic. (See On the Dark Side of ISP Nets.)

But because the darknet method watches traffic on this random IP space, it's limited to analyzing lower-level attack traffic, rather than any targeted attacks or patterns. But it's less labor-intensive to manage than a honeynet.

"With a darknet, you listen for attack and connection attempts," says Adam O'Donnell, senior research scientist with Cloudmark Inc. "There are lower maintenance requirements [than with a honeynet] because you don't have to maintain a real piece of server hardware or virtual hardware."

"Darknets are there to collect large network captures. They can deduce DDOS, DOS, and botnet threats a lot faster and more completely because a honeynet in theory is just one POP [point of presence]," says Ralph Logan, partner with the Logan Group and vice president of The Honeynet Project.

Honeynets track attacks higher up the stack and use "real" servers as bait. These are sets of servers designed to attract attackers to analyze the frequency and evolution of specific attacks. There are two basic types of honeynets, Logan's Logan says. Low-interaction honeypots find the what, when, and how of an attack: "They are there to capture automated attacks and malware," and don't really interact with the attacker, he says.

High-interaction honeynets let the attacker exploit and interact with the machines more actively, thus capturing more details about the attack and attacker. "High-interaction honeynets find the 'who' and 'why,' " Logan says.

But honeynets have their shortcomings, too. Not only do they incur overhead for IT -- you need staff to manage them and their flow of information -- but they are also limited to known vulnerabilities, for instance.

"Honeynets are great collecting tools, but unfortunately the majority of the time they don't provide information on a vulnerability that was not already public. Honeynets will likely not catch the latest and greatest zero-day vulnerability, but will provide a view into the attackers' methodologies and tools," says Albert Gonzalez, an information security engineer for Dillards Store Services. Gonzalez also runs the Distributed Honeynets Project.

Arbor, like other organizations that dabble in this type of attack analysis, uses a combination of darknets and honeynets to track malicious traffic for its ISP customers in its Atlas service. "Arbor has leveraged honeypots and existing Peakflow technology, among other things, to analyze global darknets," says Sunil James, security product manager for Arbor.

Logan says honeynets that run on a darknet help make the honeynet look even more legitimate to the attacker, because it's sitting on a production IP address range. "No one knows it's a honeypot -- it looks like an enterprise server." That's especially useful when attackers are targeting a specific organization's IP addresses, he says.

Darknets aren't as simple to build as honeynets, where you can download free tools from the Honeynet Project. Darknet monitoring typically requires homegrown setups. "Darknets are mostly homespun. You might have a router that will route an entire block of addresses to a single set of machines with fast network cards, a packet sniffer, and analysis software," Cloudmark's O'Donnell says.

But even with all of this intelligence you can gather from a honeynet or a darknet, neither approach can actually nab the bad guys. "They are still missing the critical piece -- being able to identify the attacker," Logan says. "Because of the way the Internet was developed, tracing an attacker back to the origin is still exceedingly difficult."

Honeypots and honeynets, meanwhile, could help catch an employee gone bad. "They are a fantastic tool for detecting insider espionage or attacks," Logan says. "If an employee is poking around inside, any packet that touches the honeypot is suspect. If they try to log onto a honeypot, they are doing something outside your corporate policy."

And the insider threat may be the sweet spot for honeynets in the enterprise, where the practice has not had much widespread use due to the overhead associated with the all the data they gather, as well as worries about asking for trouble by putting one up.

Logan says he's seen an increase in honeynets in the enterprise during the past year. He says the Big Brother argument doesn't fly here: "Corporations are well within their rights to deploy honeynets to secure their own networks and identify anyone doing things outside the corporate policy."

— Kelly Jackson Higgins, Senior Editor, Dark Reading