Darknets
For those of you who are not familiar with the term Darknet, here is an excerpt from Wikipedia: A darknet is a private virtual network where users connect only to people they trust. In its most general meaning, a darknet can be any type of closed, private group of people communicating, but the name is most often used specifically for file sharing networks. “The darknet” can be used to refer collectively to all covert communication networks
. However, in the information security field, this term has a slightly different meaning.
A darknet is any routed network which does not have visible servers/hosts, apart from a transparent machine which acts as a blackhole, i.e any packet sent to that network will be logged by the machine for further analysis. The network is dark because no traffic should have resulted naturally in its segments due to the fact that there is nothing interesting there.
Darknets are extremely easy to setup and yet they are one of the most efficient ways to detect suspicious activities without the overhead of false-positives IDS and IPS solutions current provide. Think about the busiest network if have ever seen. How many false-positives do you encounter in the course of a single day? Quite a few, I guess. This is what attackers usually relay on. They know that the busier the network is the higher the chances for their activities to remain undetected. However, darknets usually don’t receive any traffic at all, therefore any packets that arrive the perimeter of the network should be treated as a potential threat. No false, positives whatsoever. Of course, if the attacker knows about the existence of such a network, they can easily bombard it with all sorts of meaningless and useless packets but the point is that someone is messing around which a good reason to change your defcon level of your infrastructure.
There you go. Simple, but rather effective tactic for all to make use of.
comments
People used call it HONEYPOT.
Like the concept do you know where I could find some organized info on this I have did a number of google searches but other than articles about it can find too much except from https://ecc.equinix.com/peering/downloads/Team%20Cymru%20-%20Equinix.ppt
Thanks and keep up the good work!
Robby
Hugo, darknets are not honeypots. In fact, they are the opposite to honeypots. While honeypots try to look interesting in order to attract the attacker’s attention, darknets are mostly sitting passively waiting for someone to come in. They are not designed to look interesting but the simple fact that someone is sending packets to them is very, very, intriguing and suspicious.
“The opposite of honeypots”, very interesting concept!
That’s like when my computer is connected but there are no programs running (just a sniffer). When there’s incoming traffic, it’s often bots/worms/etc scanning my IP range (it’s easy to know what it is depending on the packets or the port utilized… Google helps a lot here!)
or even more interesting when there is outgoing traffic!