Download presentation
Presentation is loading. Please wait.
Published byRebecca Hodges Modified over 10 years ago
1
Greynets Fred Baker
2
Problem: Detecting attacks that probe an address – Note that this is not necessarily a scanning attack (RFC 5157) There are other ways to more properly probe a network – If a company is known to use EUI-64 format addresses and equipment from specific vendors, the scan surface is vastly reduced – If an address was known to be in use in the past (from an SMTP envelope perhaps), it may still be in use – Observation of traffic exiting a network… – On-LAN attacks
3
Network Telescopes Darknet: – Commonly used to refer to an address space advertised in routing by a collector to trap probes of the address space Harrods 2005 Greynet proposal – Position a collector on a LAN to trap traffic to a few addresses collector Normal equipment
4
Greynet according to Fred When NS fails on a datagram delivered to a LAN – Eg, address is not in use Instead of discarding the queued datagram, forward it to a collector – The collector can apply algorithms to decide what is going on Possible smarter policies – Heuristically identify more interesting datagrams and only forward them collector Normal equipment
5
Why? Darknets have been useful in isolating attacks in the IPv4 network We expect similar attacks in the IPv6 network, although done in other ways Facilitate diagnostics without a lot of fuss…
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.