By Jonathan Yarden
In nature, vigilance and intelligence are essential for the survival of any species. The ability to communicate information quickly and uniformly, particularly threats, is often the difference between evolution and extinction.
Survival also depends on the ability to respond appropriately to a detected threat. The faster you can identify the location and intent of a possible threat, the faster you can choose a response. Intrusion detection systems (IDSs) act as a form of network "radar," but they generally only benefit specific networks.
As the importance and use of the Internet increases, rapid identification of threats at a global level becomes even more vital. Better advance warning benefits the entire Internet, and this is where darknets and network telescopes come into play.
These terms describe both a concept and actual tool used for sounding early warning of Internet threats. By detecting port scanning activity early, it's possible to gain valuable information about a threat before it becomes widespread.
A darknet is basically a "dark" network, an area of routed IP address space that has few or no valid services or hosts. By default, you can consider any traffic entering a darknet from any source as hostile (except, of course, traffic you specifically know about).
The larger the IP address space, the better the darknet can monitor potential sources of malicious Internet traffic. If you configure a darknet with public Internet address space, you can use it to monitor malicious activity on the Internet itself. However, due to the limitations of public Internet address space, only organizations such as the Cooperative Association for Internet Data Analysis (CAIDA) and universities involved in Internet research generally set up darknets on public Internet space.
But you still have options on a private IP network. You can use a darknet to track internal network activity indicative of an internal host compromise or worm. Darknets aren't difficult to set up; just take a large chunk of IP space you aren't using for valid networks, and route it to a specific IP address.
While darknets are different from traditional IDSs, they use the same type of detection. But with a darknet, you know immediately that any traffic entering is hostile because there are no advertised services in a darknet. This solves two problems associated with traditional IDSs.
First, you don't need to classify the source of data. By design, a darknet only monitors traffic and serves no other purpose, so you know any data entering the darknet is hostile.
Second, you don't need to inspect the data to know that it's hostile. No one would be probing an empty network space unless he or she was looking for something.
It's enough to identify the source and destination IP addresses and protocol ports. Then, if you want to identify the specific worm or exploit associated with the hostile traffic, you can use an IDS such as Snort to fingerprint data packets rather quickly.
Whether darknets are valuable in the corporate environment depends on your definition of security. Darknets don't stop hostile traffic at the perimeter like a firewall, nor do they block viruses or filter content. But a darknet specifically monitors traffic that shouldn't occur at all, and it provides yet another tool for your security arsenal.
Darknets can provide early notification of wide-scale Internet threats and therefore play a role in Internet security. For example, you could use a darknet on an internal corporate network to quickly identify hosts infected with a network worm before the worm spreads to the entire internal network—and possibly before antivirus software can even detect it.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.