HunCERT PROBE
About the programme
The aim of the HunCERT PROBE programme and the probe stations installed in the networks of the voluntarily participating sponsors (members) is to record and analyse network security trends on the Hungarian internet, to improve HunCERT's incident detection capabilities and to provide network operators and ISPs participating in the programme with comprehensive and up-to-date security information relevant to their own networks.
With some technical exceptions, detailed below, the PROBE device is completely passive, i.e. it does not initiate outgoing network traffic, nor does it perform any scanning towards the local network or the internet. The primary consideration in the design and operation of PROBE is that the host network, which voluntarily hosts it, should not be compromised by the device for any technical or legal reason, nor should it collect information directly from the local network.
The PROBE tool does not provide any real, public Internet service, it does not perform sniffing, so the information it collects is only the data intentionally provided by active and unsolicited external attackers, typically automated mechanisms, commonly logged, and voluntarily shared by the program's sponsors from their own network (i.e. the public IP address of the PROBE tool).
Note: The device is not suitable for household use. Please note when applying that we can only provide a device for public networks, preferably with a class C IP address. The WiFi network adapter installed in PROBE hardware devices is currently inactive and will only be activated with the explicit permission of the participants. The WiFi adapter can be freely removed from the device, however, in this case we will ask for its return.
Use of the collected data
The data collected during the PROBE programme will only be used by HunCERT for the following purposes:
- Displaying trending data, monthly and annual graphs (without source and destination IP addresses) on the public website of the programme (https://hab.cert.hu). There is no way of inferring the location of PROBE devices from the data displayed, and therefore no way of identifying specific trends and events affecting the beneficiaries of the programme.
- Displaying filterable aggregated graphs, toplists of external hosts and activities attacking the domestic internet, on a webpage accessible to the programme's sponsors (members) after identification, with more information than is available on the public interface (e.g., in case of attacks, with the IP address of the external source). There is no way of inferring the location of PROBE devices from the data displayed, and therefore no way of identifying specific trends and events affecting the beneficiaries of the programme.
- The full set of information collected by the PROBE device(s) on their network(s) will be made available to the participating sponsors (members), in the form of detailed event logs and target toplists, on a webpage accessible after identification. This is primarily intended to ensure the transparency of the data collected, but may also serve as a useful tool for participants in a potential internal incident detection effort.
- Data from the system may be used by HunCERT in its own incident handling and related research activities, but information that can be used to identify members (e.g. PROBE IP address) will not be disclosed to external parties without the case-by-case and explicit consent of the parties concerned.
The principles outlined above in a simplified form are formally described in the Privacy Policy (currently only available in Hungarian).
Behaviour of the PROBE tool on the network
PROBE stations currently have three basic sensor functions. Using the Linux operating system's firewall function, it logs the data of all incoming TCP or UDP packets that would otherwise be filtered, and the device also provides the following interactive network services:
- SSH sensor - responds to requests on TCP port 22 as a real server. After working out a simple user/password pair, it provides a realistic-looking terminal environment in which realistic-looking commands can be issued. The actions performed are also logged.
- SMTP sensor - responds to requests on TCP port 25 as a real mail server. It accepts all incoming SMTP messages and drops them immediately. Logs incoming data (e.g. sender, recipient, payload).
- HTTP sensor - responds to requests on TCP port 80 as a real web server. Serves all incoming HTTP requests with a template response. Logs incoming data (e.g. URL, browser, javascript capabilities).
In addition to the services provided above, the PROBE device performs the following, significantly restricted, standalone networking activities. Please enable these communication directions when installing the device:
- Maintaining an OpenVPN connection to the PROBE centre (probe.cert.hu, currently 195.111.1.55) - a connection allowing system management and log collection is needed to perform the basic functionality of the PROBE. The VPN connection is private and protected by an internal firewall, and only strictly limited services are available from individual PROBE devices and from the central office.
- Using public DNS service via public resolvers (e.g. 8.8.8.8, 8.8.4.4) - during system startup or manual network configuration, the probe connects to the central logging server by using the service. It then uses a private DNS service over the central VPN connection. The probe device checks the availability of the network connection every hour by accessing 8.8.8.8.
- Using public NTP service via public (ntp.org) time providers - time synchronisation is a prerequisite for network connectivity during system start-up (in the absence of permanent hardware RTC).
- Sending local ARP requests and responses - the standard local (LAN) protocol used to keep the PROBE network connection operational.
- Sending local DHCP requests and responses - by default, the network configuration of PROBE devices is done using the DHCP protocol. Manual (static) IP configuration of PROBE devices is also possible as described below.
- Sending standard traceroute and ICMP echo request requests - occasionally, to detect network anomalies, typically as a result of commands issued manually by the HunCERT operating staff.
Please place the device in a network environment that does not clearly indicate its intended use and does not visibly distinguish the PROBE device from other network devices. For this reason, please avoid using overly explicit PTR records or otherwise empty IP subnets that are not used for any other purpose. Please only place one PROBE device on a Class C subnet.
Network Configuration (static IP address)
By default, PROBE devices obtain network configuration using DHCP requests. If this is not appropriate in the intended target environment, it is possible to configure the stations using static IP.
To do this, an HDMI display and USB keyboard must be connected to the device. A simple and logical configuration script is then launched with the user name "netconf" and password "netconf", which allows the necessary settings to be configured and checked.
Note: Naturally, the user "netconf" can only be used for physical access as described above, it does not provide remote administrator access to the device.
Guidelines
HunCERT will not change the behavioural characteristics of the PROBE tools, nor the terms and conditions for the handling and use of the data collected, as specified in this specification, without the explicit consent of the sponsors (members) participating in the programme. Exceptions to this rule are the introduction of new passive sensor functions (planned: NTP, DNS) and the improvement of critical security issues.
HunCERT will do its utmost to ensure that participation in the programme involves the least possible technical and legal risk, but will not be liable for any direct or indirect damage associated with the equipment deployed or the data collected.
In the event of misuse, attempted misuse or security incidents, HunCERT reserves the right to exclude the responsible members from the programme.
HunCERT reserves the right to publicly display the names and logos of the sponsoring members participating in the Programme in information materials related to the Programme.
Any owner of an Internet service endpoint physically located in Hungary and available at a public IP address (natural person of Hungarian nationality or legal person, company or organisation with a registered office in Hungary) may join the PROBE programme.
To join, the member must ensure the proper operation of the PROBE device (power supply, Internet connection) free of charge and on a continuous basis, and must have the right to use the physical network connection point and public IP address provided for the device. The PROBE device may only be placed at a public IP address dedicated exclusively to it
Joining the PROBE programme is free of charge. Member-level access to the data shared as detailed in the privacy statement will be granted for the duration of the proper functioning of the PROBE device installed.
The current, official version of the simplified terms and conditions for joining HunCERT PROBE and other general terms and conditions and declarations relating to the HunCERT PROBE programme, as set out in this brochure, can be found in the GTC.
Please support the Hun-CERT PROBE programme by installing a PROBE device! Participation in the programme is free of charge.