Darknet analysis: IP Reputation is the best defence

Simon Woodhead

Simon Woodhead

5th September 2011

When we introduced our Darknet a few weeks ago we commented how shocking the level of traffic it was receiving it was. Keep in mind, the Darknet comprises IP addresses which we have not issued to customers. They exist mathematically but have never been issued, are not in use and therefore should receive no traffic whatsoever. We concluded then that the vast majority of the traffic it was receiving was nefarious.

Darknet events

Our Darknet sees hundreds of thousands of intrusion attempts per day. It equates broadly to 700-1000 per Internet connected IP address per day. This is a baseline, IP addresses which are actually in use (such as our honeypots) see far far more as they also receive targeted traffic. We believe your IP addresses will be seeing a similar level of traffic.

As we highlighted before, much of this traffic is targeting very few ports and a decent firewall will offer a measure of protection providing the port targeted is not open. But what if it is? What about, for example, the recently found Apache vulnerability which could affect your web server on port 80? You cannot close port 80 to everyone if you want your website on-line so we need to consider alternatives.

There’s a few options:

  • – Patch service. Naturally, regular penetration testing and patching will keep your public facing systems more protected from known issues.
  • – Hide service. Customers using our DDoS Security Service to protect websites benefit from a high performance web cache in front of their real web farm. This intercepts and handles all requests, improving performance dramatically but also offering protection through topology hiding.
  • – Protect service. You could deploy an IDS to monitor the ‘content’ of traffic. We greatly favour intrusion prevention over detection and customers behind our DDoS Security Service benefit from this – our IPS will detect and block packet anomalies such as those used in the Apache vulnerability.
  • – Block bad traffic. Whilst all relevant solutions all of the above are re-active. It would be far better if you could examine the ‘intent’ of traffic entering the network as well as the ‘content’. Any firewall will enable block-lists to drop traffic from certain addresses; but what addresses? Let’s look at that now.

Our Darknet sees 16,000-20,000 IP addresses per day and as we now have a decent history of data we wanted to analyse their uniqueness. Let’s face it, if it is the same 20,000 every day, or substantially so, then anyone could maintain their own black list and they don’t need us.

The results are actually quite shocking. 81% of IP addresses hitting the Darknet are new and unique that day and 4% are unique to the time of that event. Just 2% are two days old and it tails off from there. So had we simply blocked bad the source addresses we saw yesterday, then the chances are we’d be deriving very little protection. Worse still, consider that today’s bad address could have been re-allocated to a different and innocent host tomorrow, particularly in the case of DSL networks with dynamic address allocation.

Age of source IP addresses hitting the Darknet

So does that mean there’s no basis to IP Reputation? Well no, because it isn’t simply a list of bad addresses!

If we analyse the same data again looking at source country rather than source IP address, we’ll see that 100% of offenders have been in the database the entire time so there is definitely a behavioural element to bad-ness. For a business predominantly doing business in one location, blocking traffic from certain parts of the world would have merit. In fact, our IP Reputation service enables customers to block specific countries with a single click. Blocking all countries where bad traffic had originated would be too blunt though.

IP Reputation aims to fill in the grey area between the specificity of a single IP address and the generality of blocking by country to enable the maximum level of protection, whilst avoiding false positives. Let’s re-run the data again but this time lets look at it at a network (AS) level. This time we see that just 20% of networks are new in the last day, and a similar proportion have been in the database the entire time. Getting better.

Darknet age of source networks

Blocking networks as a whole is appropriate in some cases, albeit few.  It would be inappropriate to block an entire network because of one or two bad IP addresses, but what if we see attacks every day from different IP addresses in the same subnet? If that subnet can be identified then traffic from it can reasonably assumed to be bad.

If you were to analyses our IP Reputation output, you would find a large number of individual addresses, and even entire networks where they have been determined to be entirely bad. In the most part though you’d find blocks of addresses between the two where the bad-ness extends to sub-allocations of IP addresses which are collectively being used for nefarious purposes whilst avoiding those being used innocently.

Of course, subscribers to the IP Reputation service aren’t only seeing the output of our Darknets and Honeypots. Simwood is just one of  the sources of data being submitted to ThreatSTOP. ThreatSTOP analyse and cross-reference multiple sources of data, including removing spoofed addresses, to arrive at a continuously updated list of address ranges which your firewall can be confident in blocking.

ThreatSTOP is delivered by DNS and can be integrated with almost any firewall. It is available for a simple annual subscription. It is also included in our DDoS Security Solution. Please contact us for a quote.

Related posts