TY - GEN
T1 - Are darknets all the same? On darknet visibility for security monitoring
AU - Soro, Francesca
AU - Drago, Idilio
AU - Trevisan, Martino
AU - Mellia, Marco
AU - Ceron, Joao
AU - Santanna, Jose J.
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/9/26
Y1 - 2019/9/26
N2 - Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large/8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring.
AB - Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large/8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring.
KW - Darknets
KW - Darkspaces
KW - Network telescopes
KW - Sinks
UR - http://www.scopus.com/inward/record.url?scp=85073155995&partnerID=8YFLogxK
U2 - 10.1109/LANMAN.2019.8847113
DO - 10.1109/LANMAN.2019.8847113
M3 - Conference contribution
AN - SCOPUS:85073155995
T3 - IEEE Workshop on Local and Metropolitan Area Networks
BT - 25th IEEE International Symposium on Local and Metropolitan Area Networks, LANMAN 2019
PB - IEEE Computer Society Press
T2 - 25th IEEE International Symposium on Local and Metropolitan Area Networks, LANMAN 2019
Y2 - 1 July 2019 through 3 July 2019
ER -