Dark Spaces

Monitoring unallocated Internet addresses reveals potential DoS attacks.

by / December 19, 2007 0

When computer hackers attacked Estonia  earlier this year -- shutting down numerous Web sites connected to the country's electronic infrastructure, including government, commercial banks, media outlets and name servers -- the event was nothing new in the world of cyber-security.

Since the mid-1990s, denial-of-service (DoS) attacks -- generally a computer assault that floods a network or Web site with unnecessary traffic, rendering it slow or completely interrupted -- have caused serious problems for the Internet. DoS attacks are often waged by "botnets," which are a series of computers that have been hijacked by viruses and take part in attacks without their owners' knowledge. Attackers often launch attacks from unallocated IP addresses so the assailants can't be found.

The attack on Estonia has been called "cyber-warfare" and the first time botnets threatened the security of an entire nation. Over the years, similar attacks have closed some of the largest e-commerce companies, such as Amazon.com, eBay and Buy.com, as well as federal and state government Web sites.

With an estimated 2,000 to 3,000 DoS attacks daily worldwide, large corporations, small Web-based businesses and governments have been forced to take precautions to defend against DoS attacks or face costly shut downs and/or the demands of "cyber-extortionists," a new breed of Internet criminal who demands payment in exchange for not launching a DoS attack.


Dark Address Space
In 2003, the federal government established the U.S. Computer Emergency Response Team (U.S.-CERT), an arm of the Department of Homeland Security that protects the nation's public and private Internet infrastructure, in response to DoS and other harmful cyber-attacks. To help prevent DoS attacks, or at least warn private and public sectors of impending attacks, U.S.-CERT uses its Einstein program to monitor federal network "dark address space" on the Internet. Dark address space, which is sometimes referred to as "darknet," is the area of the Internet's routable address space that's currently unused, with no active servers or services. On computer networks, darknet is the addresses held in reserve for future network expansion.

Often when DoS and other cyber-attacks occur, blocks of Internet address space, including darknet space, briefly appear in global routing tables and are used to launch a cyber-attack, or send spam, before being withdrawn without a trace. By monitoring all traffic to and from dark space, U.S.-CERT and other cyber-security organizations gain insight into the latest techniques and attacks.

The U.S.-CERT's Einstein program provides information about darknet activity originating from state and local government systems, helping notify states of potential cyber-attacks and other malicious activities.

New York is in the process of implementing its own plan to combat cyber-attacks by collecting malicious cyber-attack information directed at the state's IT infrastructure, which can provide early warning intelligence about the nature and characteristics of the attacks.

New York state receives warnings of potentially malicious cyber-activity from U.S.-CERT on a daily basis, said William Pelgrin, director of the New York State Office of Cyber Security and Critical Infrastructure Coordination. His office is working with the University atAlbany to create the Multi-State Information Sharing and Analysis Center (MS-ISAC) Darknet Sensor system, which will help New York and other states prevent cyber-attacks by monitoring dark space and other nonallocated IP addresses. A darknet server will be configured to capture all traffic destined for this unused space. The server listens to all traffic directed at the unused address space and gathers the information packets that enter the dark space.

"Just the fact that we are seeing state-targeted traffic in federal dark space is definitely worth the investment to deploy this program to monitor state dark space," said Pelgrin. "Our goal is not only to do this for New York state, but for all other states."

The MS-ISAC Darknet Sensor system, which is expected to be implemented by late 2007 or early 2008, will monitor and gather information for all traffic directed through the nationwide darknet, which is considered malicious since no legitimate services are available at dark address spaces. New York's internal and public networks will be analyzed, which is expected to provide invaluable insight into the security of New York's networks and help predict impending network attacks.

Pelgrin is also the founder and chair of the MS-ISAC, whose mission is to raise the level of cyber-security readiness and response for state and local governments nationwide. Although the MS-ISAC Darknet Sensor system will be centered in New York, Pelgrin said the system will benefit other states too.

"I'm a big believer in sharing information and a collaborative and cooperative approach to my job," Pelgrin said. "I knew from the beginning that geographic borders make no sense in state cyber-security. A cyber-attack in California can have an effect in New York." 

A MS-ISAC volunteer member will see what information on dark space should be shared with other states to prevent cyber-attacks. Alaska and Montana have agreed to join New York's Darknet sensor system, and Pelgrin expects others to join once the program is running. States participating in the program will set up a monitoring system with sensors placed in strategic places on the network to create an early warning system. A monitoring center will interpret and evaluate warnings, which will eventually help accurately evaluate cyber-attacks.

"I think it's a very valiant effort and it's a very useful approach," said Jose Nazario, senior security researcher of Arbor Networks, a network security provider. "I liken the approach of darknet monitoring to throwing a petri dish out there or sticking your finger in wind; it's a tremendous way to measure all the junk on the Internet and discover both in terms of known and existing threats, 'Where is it coming from, who's launching them, and who do we need to block or shut down?'"

Dark space monitoring is valuable for protecting municipalities since more government infrastructure and resources are being made available online, Nazario said.

"Clearly it's very valuable for federal governments," Nazario said. "I would argue that state governments depend just as much on infrastructure not only for their own infrastructure but for their resources, whether business or educational institutions, or other research statewide networks."

Nazario said his firm tracks between 2,000 and 3,000 major DoS attacks every day, all of which come from forged addresses.

Although the U.S.-CERT program often warns states of potential cyber-attacks, the program is oriented primarily at the federal level, and states often don't have adequate defense against DoS attacks, according to Pelgrin. With the shared connectivity of the Internet, cyber-attacks can come from anywhere in the world, therefore, a collaborative approach is the best defense for states and organizations worldwide, he added.

"Whatever we learn from states and across the world will help New York state, and hopefully what we do will help other states as well," Pelgrin said.


Chandler Harris is a regular contributor to Government Technology magazine. He also writes for Public CIO, a bimonthly journal, and Emergency Management and Digital Communities magazines.

Chandler Harris Contributing Writer