Darknets are well known as a place to look for Internet threats, but a presentation by RESTENA and CIRCL at this week’s TF-CSIRT meeting suggested they may also show up other kinds of problems. Darknets are parts of the IP address space that are routed but not used, so there should be no legitimate packets arriving at those addresses. Packets that do show up may relate to scanning, or be responses to attacks forged to appear to come “from” the darknet addresses. Or they may simply be the result of accidental misconfiguration of Internet devices, for example by administrators mistyping their own IP addresses.
At first sight that might seem harmless – surely the worst that can happen is that the service won’t work? – but examining a year’s traffic to two darknets suggests that such typos can result in significant information leakages, or even create opportunities to attack the network where the mistake was made.
For example if someone mis-types the address of a DNS resolver, then any machine listening on the ‘wrong’ address will get a list of the domain names that users are looking up. That may even include machines inside the organisation’s firewall, so an external listener may be able to discover information about the internal network that the firewall is is supposed to hide. And that won’t just be intranet servers: most of the traffic captured by the darknet was intended for network infrastructure servers such as domain controllers and time servers, indicating that network services running on the misconfigured computer were also using the incorrect address and leaking information about important infrastructure services. DNS configuration errors may not be detected by the organisation. Most machines will have more than one resolver configured so as long as at least one of those is correctly configured their users will not report any problems. The misconfigured addresses will just carry on silently announcing what the user is doing.
Other services may leak even more important information. Printers, routers and firewalls are often configured to report their status to a logging server using the Syslog protocol. If the logging server’s address is mistyped then information reported to an external address may range from paper jams to attacks detected by the firewall, or even the complete configuration of the device including the passwords used to update it. Logging systems often use the private address spaces defined by RFC1918, which all firewalls should block from leaving the local network. But if you mistype the network part of an RFC1918 address then that protection, too, is lost.
Errors in configuring DNS and several other services can also be used to attack the misconfigured network. If a machine is sending DNS requests to the wrong address, then a machine at that address could easily send back wrong answers, potentially directing it to hostile websites, mail servers, or anything else.
Using these kinds of error to attack a specific organisation would probably be tricky, since there’s no obvious way to find out what misconfigurations it may have. But the evidence of this study is that there are enough of them around that opportunist attackers might get lucky. Organisations should monitor their network traffic for critical services such as DNS, syslog and SNMP to check that flows, particularly those leaving the organisation, only go where they are supposed to. That way they should detect dangerous configuration error before their enemies do.
