Darknets are comprised of machines and/or servers with unassigned IP addresses, which operate in a passive mode that is characterized by minimal or no communication with public parts of the internet. It is rather unusual for data to be received on such networks; and if this happens, malicious activity is suspected. Data sent in such way could represent an adversary looking for network vulnerabilities that he can use to launch future attacks.
A group of researchers from the Indian Institute of Technology (IIT) Kanpur, India, studied the patterns of malicious activities on darknets, via monitoring and analyzing darknet traffic across a /24 public IPv4 space of IIT Kanpur.
Institutions such as IIT Kanpur usually have a considerably large pool of public IP addresses appointed to them. Some of these IP addresses represent active services, such as the institution’s website and departments’ servers that manage incoming and outgoing traffic to the institution. At any point of time, there exists a group of IP addresses that are not allocated to any service. These IP addresses represent a darknet according to the definition of darknets proposed by Fachkha and colleagues via their study that was presented in the 2012 International Conference on Risks and Security of Internet and Systems (CRiSIS). As these IP addresses are not allocated to any service, data sent to them is unusual and often represent malicious activities. The researchers monitored the darknet traffic of approximately 180 IPv4 addresses at IIT Kanpur, which included a small number of active IP addresses. The traffic was analyzed to detect patterns related to specific types of malicious attacks.
Types of data Received By The Studied Darknet:
Monitoring traffic on darknets is different from active network monitoring approaches such as network intrusion detection systems (NIDS), due to the fact that darknets operate in a passive mode with almost no form of interaction taking place with the attackers. Data received by darknets can be classified into three main groups:
1. Data received secondary to misconfigurations.
2. Backscatter data
3. Data meant directly to the server.
Analysis of Darknet Traffic:
The researchers found out that data received by the darknet was approximately 4 MBps every hour. The below graph represents the percentage of darknet traffic as compared to the overall traffic sent to IIT Kanpur in a day, along a period of two weeks.
The majority of received data originated from IPv4 addresses and the most commonly used protocol was TCP, followed by UDP. These source addresses were mapped and their country of origin was identified as shown by the below map.
Analyzing Darknet Traffic Using Bro:
Bro is a powerful, open source framework for network analysis. The researchers used bro to analyze the captured and filtered darknet traffic data for a period of approximately 2 weeks. Bro categorized the captured data and the researchers were able to detect multiple IP address scan attempts, along with other forms of attacks that seemed to involve an attacker attempting to guess SSH passwords. Various ports were used throughout these attempts and included TELNET (62.6%), SSH (15.4%), SNMP (10.4%) and HTTP (6.3%).
Bro was able to detect IP address scanning attempts that originated from approximately 4,500 different IP addresses that are associated with countries from many parts of the world. Data packets sent to the IP addresses were considered to be IP address scanning attempts, whenever they were sent to a minimum of 25 different hosts within the address space. These IP address scanning attempts took place on TCP/UDP ports such as 1433 (SQL Server), 80 (HTTP), 22 (SSH) etc. The researchers included data packets from a small number of active IP addresses whose SSH port was found to be open; thus, they were most commonly engaged in password guessing attempts.
Implications of the study:
Although the study presented some interesting results, they cannot be universalized especially that the studied darknet is neither uniform, nor large enough to produce reliable conclusions. The researchers stated that they will continue on researching this field, as they intend on improving the efficiency of packet capturing and the scope of traffic analysis, through future studies, via utilization of an active monitoring system and/or studying a larger darknet space.