In nature, vigilance and intelligence are essential for the
survival of any species. The ability to communicate information quickly and
uniformly, particularly threats, is often the difference between evolution and
Survival also depends on the ability to respond
appropriately to a detected threat. The faster you can identify the location
and intent of a possible threat, the faster you can choose a response.
Intrusion detection systems (IDSs) act as a form of network “radar,”
but they generally only benefit specific networks.
As the importance and use of the Internet increases, rapid
identification of threats at a global level becomes even more vital. Better
advance warning benefits the entire Internet, and this is where darknets and
network telescopes come into play.
These terms describe both a concept and actual tool used for
sounding early warning of Internet threats. By detecting port scanning activity
early, it’s possible to gain valuable information about a threat before it
A darknet is basically a “dark” network, an area
of routed IP address space that has few or no valid services or hosts. By
default, you can consider any traffic entering a darknet from any source as
hostile (except, of course, traffic you specifically know about).
The larger the IP address space, the better the darknet can
monitor potential sources of malicious Internet traffic. If you configure a
darknet with public Internet address space, you can use it to monitor malicious
activity on the Internet itself. However, due to the limitations of public
Internet address space, only organizations such as the Cooperative Association
for Internet Data Analysis (CAIDA) and universities involved in Internet
research generally set up darknets on public Internet space.
But you still have options on a private IP network. You can
use a darknet to track internal network activity indicative of an internal host
compromise or worm. Darknets aren’t difficult to set up; just take a large
chunk of IP space you aren’t using for valid networks, and route it to a
specific IP address.
While darknets are different from traditional IDSs, they use
the same type of detection. But with a darknet, you know immediately that any
traffic entering is hostile because there are no advertised services in a
darknet. This solves two problems associated with traditional IDSs.
First, you don’t need to classify the source of data. By
design, a darknet only monitors traffic and serves no other purpose, so you
know any data entering the darknet is hostile.
Second, you don’t need to inspect the data to know that it’s
hostile. No one would be probing an empty network space unless he or she was
looking for something.
It’s enough to identify the source and destination IP
addresses and protocol ports. Then, if you want to identify the specific worm
or exploit associated with the hostile traffic, you can use an IDS such as
Snort to fingerprint data packets rather quickly.
Whether darknets are valuable in the corporate environment
depends on your definition of security. Darknets don’t stop hostile traffic at
the perimeter like a firewall, nor do they block viruses or filter content. But
a darknet specifically monitors traffic that shouldn’t occur at all, and it
provides yet another tool for your security arsenal.
Darknets can provide early notification of wide-scale
Internet threats and therefore play a role in Internet security. For example,
you could use a darknet on an internal corporate network to quickly identify
hosts infected with a network worm before the worm spreads to the entire
internal network—and possibly before antivirus software can even detect it.
Miss an issue?
Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
Want more advice for
locking down your network? Stay on top of the latest security issues and
industry trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.