Darknet traffic - what can we learn from nooks and crannies of the internet?

No ratings

Presented at ConfidenceKrakow 2018 by

Piotr Bazydło

Darknet (network telescope) is an unused space of IP addresses, where normally weshould observe no network traffic. However, it occurs that a lot of network packets can be observed,although no services or applications are available at these IP addresses. Origin of this networktraffic can be usually divided into three categories: (1) misconfiguration of networkdevices/applications, (2) scanning activities, (3) backscatter from DoS attacks. According to this, wecan observe a lot of interesting activities in this traffic. First of all, it is possible to track DoSvictims (spoofed attacks). Secondly, we can observe trends in the scanning activities, thus allowingus to identify new threats and potential victims. We can also track scanning activity related to theamplified DRDoS attacks, which are probably the most destructive DoS attacks. Moreover, we areable to track activity of some botnets and as a result, we are collecting data about the infecteddevices, botnets' behavior and sometimes about their victims (DoS).I am observing NASK's darknet traffic for several months. Mean number of packets received perhour is is equal to 25 millions. On this basis, I would like to talk about activities seen in darknet,present some statistics concerning this traffic, show some case-studies concerning observed DoSattacks and describe botnet fingerprinting in this traffic.