Greynets Fred Baker
Problem: Detecting attacks that probe an address – Note that this is not necessarily a scanning attack (RFC 5157) There are other ways to more properly probe a network – If a company is known to use EUI-64 format addresses and equipment from specific vendors, the scan surface is vastly reduced – If an address was known to be in use in the past (from an SMTP envelope perhaps), it may still be in use – Observation of traffic exiting a network… – On-LAN attacks
Network Telescopes Darknet: – Commonly used to refer to an address space advertised in routing by a collector to trap probes of the address space Harrods 2005 Greynet proposal – Position a collector on a LAN to trap traffic to a few addresses collector Normal equipment
Greynet according to Fred When NS fails on a datagram delivered to a LAN – Eg, address is not in use Instead of discarding the queued datagram, forward it to a collector – The collector can apply algorithms to decide what is going on Possible smarter policies – Heuristically identify more interesting datagrams and only forward them collector Normal equipment
Why? Darknets have been useful in isolating attacks in the IPv4 network We expect similar attacks in the IPv6 network, although done in other ways Facilitate diagnostics without a lot of fuss…