Skip to content

Project Caretaker aims to provide a Threat Feed for North Dakota so that anyone can verify Internet reputation.

License

Notifications You must be signed in to change notification settings

jblukach/caretaker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Project Caretaker

Reputation is the most critical asset available when using the Internet, as it helps us decide which services we feel safe using. It can also impact an end-users ability to use the web if the connection had previous suspect behavior. Project Caretaker aims to provide a Threat Feed for North Dakota so that anyone can verify Internet reputation.

Every day at 14:00 UTC, the Internet addresses for the Broadband Association of North Dakota (BAND) members, North Dakota Univesity System (NDUS), and the State of North Dakota (ITD) get updated from Security Trails, a Recorded Future company.

I added additional Internet Service Providers (ISPs) to improve state coverage. 🌎

Autonomous System Numbers (ASN)

  • 11138 - BEK Communications Cooperative (BCC-141)
  • 11232 - Midcontinent Communications (MIDCO-1)
  • 14090 - North Dakota Telephone Company (GONDT)
  • 14511 - Polar Communications (PLAR)
  • 14543 - SRT Communications, Inc. (SRTC)
  • 15267 - 702 Communications (702COM)
  • 18780 - Reservation Telephone Coop. (RTC-81)
  • 19530 - State of North Dakota, ITD (SNDI-1)
  • 21730 - Halstad Telephone Company (HALSTA)
  • 26794 - Dakota Carrier Network (DCN-38)
  • 27539 - West River Telecommunications Cooperative (WRVR)
  • 29744 - United Telephone Mutual Aid Corporation (UNITED-190)
  • 31758 - Griggs County Telephone Co. (GCT-43)
  • 32809 - Dickey Rural Networks (DRN-3)
  • 33339 - Nemont Telecommunications (NEMON-2)
  • 36374 - Stellar Association, LLC (SAL-65)
  • 55105 - Northwest Communications Cooperative (NCC-115)
  • 63414 - Dakota Central Telecommunications Cooperative (DAKTE)
  • 400439 - Consolidated Telecommunications (CONSO-10)

It results in 1,295,104 IPv4 addresses and 31 IPv6 cidr allocations to monitor for reputation.

A /32 subnet of IPv6 has 65,536 /48 subnets, each with 65,536 /64 subnets with 18,446,744,073,709,551,616 addresses, making a vast number. IPv6 addresses get converted to integers to determine if they fall into any of the monitored ranges.

Brand Monitoring

Every day at 14:00 UTC, queries run against Censys for trusted certificates with the province of either North Dakota or the abbreviation ND to collect 8,232 domain names for apex and www brand monitoring.

Thank you to Censys for providing research access that makes this possible!

Certificate Transparency (CT) is a security standard for monitoring and auditing the issuance of digital certificates. Chrome, Firefox, Safari, etc., web browsers require certificates to be listed to be trusted when surfing the Internet.

The domain names from the certificates are normalized to guarantee valid top-level domains with wild cards removed.

Email Security

Every day at 15:00 UTC, domains are checked for Mail Exchange (MX) records to determine if an email server is present; once identified, verification of Domain-based Message Authentication, Reporting & Conformance (DMARC), and Sender Policy Framework (SPF) records occurs.

Sender Policy Framework is an email authentication standard that determines the addresses and domains that can send emails that require reputation monitoring.

Misconfiguration

Every day starting at 15:00 UTC, queries run against Censys for misconfigurations that expose insecure services to the Internet.

Thanks again to Censys for providing research access that makes this possible!

Monitored Services

ACTIVEMQ AFP AMQP APPLE_AIRPORT_ADMIN
BACNET COAP COBALT_STRIKE CWMP +
DARKGATE DCERPC DHCPDISCOVER DNP3
ECHO ELASTICSEARCH EPMD ETHEREUM
FINGERD FOX FTP IMAP
IPMI IPP ISCSI IOTA
KRPC KUBERNETES LDAP MDNS
MEMCACHED MMS MODBUS MONERO_P2P
MONGODB MQTT MSSQL MYSQL
NBD NETBIOS NNTP OPC_UA
ORACLE PC_ANYWHERE PCOM PGBOUNCER
POP3 PORTMAP POSTGRES PPTP
PROMETHEUS REDIS RLOGIN ROCKETMQ
RDP RTSP S7 SCCM
SIP SKINNY SMB SNMP
SPICE SSDP TACACS_PLUS TEAM_VIEWER
TELNET TFTP TPLINK_KASA UPNP
VNC WHOIS WINRM X11
ZEROMQ

+ CWMP prevalence required exclusion from Midcontinent results.

Reputation

The following threat feeds pull at thirty minutes past the hour to determine if any addresses from North Dakota exist on the lists.

If there are others that you would like added, please open an issue on the repository?

I appreciate all the work that goes into maintaining these lists - thank you!

The critical part is making the results usable by anyone with just a website visit!

The lookup completes using the Internet address your connection originates from to protect the potential sensitivity of the returned results.

We don't want to tip the hand like playing cards, losing the advantage!

If the website returns gray, it means there is no data currently available, but that does not mean there still could not be a problem.

Project Caretaker Unknown Alert

When the website returns orange, it will list sources and last-seen timestamps of potential reputation concerns.

Project Caretaker Suspect Alert

When the website returns yellow, monitoring is not occurring.

Project Caretaker Suspect Alert

When the website returns red, please try again or check back later.

Project Caretaker Error Alert

You may require additional assistance to resolve the issue outside of this project; at least the awareness to start asking questions will exist.