Security Information Exchange (SIE) Darknet Channel
Channel 14 Darknet streams IP packets, in packet capture library (libpcap) format (also known as “PCAP”), received from various darknets. These darknets are instrumented to observe and collect any network traffic that attempts to access inactive IP addresses. This data provides evidence of scanning and unsolicited connection attempts to unused IP address space.
Darknets (also known as “dark space telescopes”) are blocks of unused IP address space connected to the Internet. The IP addresses in a darknet are inactive and there is no legitimate reason for any system on the Internet to attempt connections to a service within a darknet. Because of this, traffic observed in a darknet is typically the result of a network scan, probes looking for vulnerable systems, or other suspicious behaviors.
Monitoring traffic from channel 14 can be useful for solving a number of challenges, some examples include:
- Identify sources of scans, probes, or suspicious behaviors; enables you to make an informed decision and implement appropriate controls
- Enables ISPs to identify customers with infected systems that need remediation
- Useful for law enforcement agencies (LEAs) to derive fact-based information about attacks; relevant for justifying warrants or subpoenas, and for evidence in a prosecution
- Threat Intelligence (TI) companies would be interested in this data to enrich their products, solutions, and services used by the preceding customers
Additional information about analyzing and acquiring Darknet data from SIE is available at:
- Spotting A DNS Denial of Service Reflection Attack in SIE Darkspace Telescope Data
- Accessing Darknet Telescope Data via SIE Remote Access (SRA)
About Security Information Exchange (SIE)
The Security Information Exchange (SIE), from Farsight Security® Inc. (now part of DomainTools), is a scalable and adaptable real-time data streaming and information sharing platform. SIE collects and provides access to more than 200,000 observations per-second of raw data from its global sensor network. Farsight also applies unique and proprietary methods for improving usability of the data, directly sharing the refined intelligence with SIE customers and DNSDB®, one of the world’s largest passive DNS (pDNS) databases.
The diverse set of data available from SIE includes the following and is relevant and useful for practitioners in various technology roles:
- Raw and processed passive DNS data
- Darknet/darkspace telescope data
- SPAM sources and URLs
- Phishing URLs and associated targeted brands
- Connection attempts from malware-infected systems (as seen by a sinkhole)
- Network traffic blocked by Intrusion Detection Systems (IDS) and firewall devices
Each unique set of data in SIE is known as a channel and the data acquired from a specific channel can be customized to meet the needs of each customer, enabling you to subscribe to and access only the channels needed to solve your problem. A channel in SIE may be the result from analyzing the data or a subset of data from other channels.
Data Format for Darknet
|Description||Captured packets destined for unused network space. Can be used to monitor scanning activity and back-scatter from large spoofing attacks|
To see current channel traffic volumes and service options for accessing it, please see the Security Information Exchange (SIE) Channel Guide.
Using Darknet Data
A sample Darknet record looks like this:
21:54:39.324920 IP 999.999.999.1.99999 > 999.999.999.251.99999: Flags [S], seq 1512317368, win 65535, length 0 0x0000: 434f 4745 4e54 e0ac f127 b40f 0800 4528 COGENT...'....E( 0x0010: 0028 d431 0000 ed06 e6d7 0000 0000 9543 .(.1.......^o..C 0x0020: 54fb c1f4 3413 5a24 21b8 0000 0000 5002 T...4.Z$!.....P. 0x0030: ffff 2b60 0000 0000 0000 0000 ..+`........
SIE Access Methods
Data from SIE can be accessed and acquired using the following methods:
- Direct Connect: Connect a system to the SIE network. This 1.) requires a server to be installed in a data center where Farsight has a point of presence, and 2.) then ordering a network cross connect between your server and the SIE network. Customers can optionally, and prefer to, lease a blade server from Farsight
- SIE Remote Access (SRA): Remotely connect to the SIE network using an encrypted tunnel from your workstation or a server in your local data center
For additional information about SIE access methods, please see the SIE Technical Overview document.
SIE Direct Connect allows a customer to physically connect a server to the Farsight SIE network for maximum data throughput. This can be done in one of two ways:
- Blade Server: Pre-configured blade servers co-located in one of Farsight’s data centers that can be leased by customers for direct access to SIE channels.
- Customer Server: Customer (owned, managed, and operated) servers that can be installed in one of Farsight’s data centers and physically connected to the SIE network with a network cross-connect.
If a blade server is leased from Farsight, it will be pre-installed with the essential software components needed to acquire, process, compress, buffer, and transfer data from SIE channels to the customer’s data center for additional analysis, enrichment, and storage.
If a customer uses their own server, an order can be submitted for a cross-connect to the SIE switches hosted at select Equinix data centers (Ashburn DC3 and Palo Alto SV8). An FSI account manager can help guide cross-connect provisioning details, hosting, or colocation options.
For additional information about SIE connection methods, please see the SIE Technical Overview document. A Farsight’s sales representatives is happy to share a copy of this document with you. This will help inform and guide you in understanding which connection method will work best for you.
SIE Remote Access (SRA)
SIE Remote Access (SRA) enables a customer to remotely connect to the Security Information Exchange (SIE) from anywhere on the Internet. SRA provides access to SIE channel data on customer’s local servers, allowing their analysis and processing systems to be located in their own data centers rather than physically co-located at a Farsight’s data center.
Due to the technical limitations of transporting high bitrate SIE channels across the Internet, the SRA access method is not available for all SIE channels. Please reference the SIE Channel Guide for channels that can be accessed using SRA.
SRA uses the Advanced Exchange Access (AXA) transport protocol which enables SRA sessions to perform the following:
- Select which SIE channel or channels to monitor and acquire data from
- Define user-specified search or filtering criteria to match IP or DNS traffic
- Control rate-limits and other AXA parameters
The streaming search and filtering capabilities of AXA enables SRA to access and acquire meaningful and relevant data from SIE while avoiding the costs of transporting enormous volumes of data across the Internet.
Note: For high volume channels accessed using SRA, it is expected that customer’s will specify a search or filter for IP addresses and DNS domain names or hostnames of interest. The SRA service will only collect and send data matching the specified criteria across the Internet to the customer.