Fri, 04 Apr 2008 08:44:00 GMT
by pdp

A darknet is a private virtual network where users connect only to people they trust. In its most general meaning, a darknet can be any type of closed, private group of people communicating, but the name is most often used specifically for file sharing networks. "The darknet" can be used to refer collectively to all covert communication networks". However, in the information security field, this term has a slightly different meaning.

A darknet is any routed network which does not have visible servers/hosts, apart from a transparent machine which acts as a blackhole, i.e any packet sent to that network will be logged by the machine for further analysis. The network is dark because no traffic should have resulted naturally in its segments due to the fact that there is nothing interesting there.

Darknets are extremely easy to setup and yet they are one of the most efficient ways to detect suspicious activities without the overhead of false-positives IDS and IPS solutions currently provide. Think about the busiest network if have ever seen. How many false-positives do you encounter in the course of a single day? Quite a few, I guess. This is what attackers usually rely on. They know that the busier the network is the higher the chances for their activities to remain undetected. However, darknets usually don't receive any traffic at all, therefore any packets that arrive through the perimeter of the network should be treated as a threat. No false, positives whatsoever. Of course, if the attacker knows about the existence of such a network, they can easily bombard it with all sorts of meaningless and useless packets but the point is that someone is messing around which is a good reason to change your defcon level of your infrastructure.

There you go. Simple, but rather effective tactic for all to make use of.

Archived Comments

People used call it HONEYPOT.
Like the concept do you know where I could find some organized info on this I have did a number of google searches but other than articles about it can find too much except from https://ecc.equinix.com/peering/downloads/Team%20Cymru%20-%20Equinix.ppt Thanks and keep up the good work! Robby
Hugo, darknets are not honeypots. In fact, they are the opposite to honeypots. While honeypots try to look interesting in order to attract the attacker's attention, darknets are mostly sitting passively waiting for someone to come in. They are not designed to look interesting but the simple fact that someone is sending packets to them is very, very, intriguing and suspicious.
Gustavo CardialGustavo Cardial
"The opposite of honeypots", very interesting concept! That's like when my computer is connected but there are no programs running (just a sniffer). When there's incoming traffic, it's often bots/worms/etc scanning my IP range (it's easy to know what it is depending on the packets or the port utilized... Google helps a lot here!)
or even more interesting when there is outgoing traffic!
... Honeypots n' Darknets r not the same ...