|
|
|
|
|
Advantages |
|
Fidelity - if something scans dark IP,
is likely bad |
|
Cheap/easy - can cover a lot of IP
space that wasnÕt being used |
|
Especially internally to enterprises |
|
Disadvantages |
|
Some bots avoid the dark-IP space -
scan selectively |
|
Persuading the bot to talk can be
tricky |
|
Need deep interaction honeypot to do it
right |
|
Bots moving away from scanning as a
technique |
|
Bot-owners can learn Dark Ips if
feedback (eg to signatures) |
|
|
|
|
|
|
Technology evolution is rapid |
|
Well funded industry |
|
Smart technologists |
|
Disciplined execution of attacks and
management of resources/business |
|
Gives various trends that render
current defensive technologies obsolete |
|
Exploits via web/email (bypass
firewall) |
|
Obfuscation and polymorphism (bypass
AV/IPS) |
|
Distributed command-and-control, and
high turnover of assets, |
|
renders trackdown and clean-up hard |
|
DNS tracking hard |
|
Web crawling behind the curve |
|
|
|
|
|
~ 5000 users |
|
~ 3 hrs of intermittent data |
|
Parsed HTTP and entities |
|
~ 200,000 HTTP containing flows |
|
Google safe browsing API alerted on
~700 of them |
|
Manually verified - only 11 checked out |
|
Daily rate is ~100 incidents/day |
|
DonÕt know how many were successful at
this point |
|
Not sure how typical this period is so
only order of magnitude estimate |
|
Google safe browsing API is 99%+ false
positives |
|
Reasons not well understood yet |
|
Gearing up for another experimental run |
|
Hopefully LEET 08 paper |