Are Darknets All The Same? On Darknet Visibility for Security Monitoring

2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN) Pub Date : 2019-07-01 DOI:10.1109/LANMAN.2019.8847113

Francesca Soro, I. Drago, Martino Trevisan, M. Mellia, J. Ceron, J. J. Santanna

{"title":"Are Darknets All The Same? On Darknet Visibility for Security Monitoring","authors":"Francesca Soro, I. Drago, Martino Trevisan, M. Mellia, J. Ceron, J. J. Santanna","doi":"10.1109/LANMAN.2019.8847113","DOIUrl":null,"url":null,"abstract":"Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large /8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring.","PeriodicalId":214356,"journal":{"name":"2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN)","volume":"50 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2019-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"14","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/LANMAN.2019.8847113","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 14

Abstract

Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large /8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring.

查看原文本刊更多论文

暗网都一样吗?用于安全监控的暗网可见性研究

暗网是一组IP地址，它们被发布，但不承载任何客户端或服务器。通过被动地记录传入的数据包，它们有助于网络监控活动。由于它们收到的数据包根据定义是未经请求的，因此暗网有助于发现错误配置以及重要的安全事件，例如僵尸网络的出现和传播，使用欺骗IP地址的DDoS攻击等。世界范围内的许多组织都部署了暗网，范围从几十个IP地址到大型/8网络。我们在这里调查不同暗星系的可见性有多相似。通过依赖部署在不同大陆的三个暗网的流量，我们根据观察到的事件评估了它们的暴露程度，并给出了它们分配的IP地址。考虑到互联网上IPv4地址的短缺，后者尤其重要。我们的研究结果表明，关于暗网可见性的一些众所周知的事实似乎在部署中是不变的，例如最常接触的端口。然而，规模和位置很重要。我们发现部署在不同IP范围内的暗网以及分配用于监控的IP范围的大小所观察到的流量有显著差异。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN)

自引率

0.00%

发文量