Practical "Dark network" Measurement --- practical Darknet Measurement

Today's Internet is plagued by various attacks, which are usually targeted at users or network facilities. A popular method to detect attacks and infected hosts is to detect unused network addresses. Since many network threats are spread randomly, attempts can be captured by monitoring unused address spaces. These components used to monitor unused address spaces are called "darknets", "Network telescopes", or "blackholes ). They capture important information about a variety of threats, such as worms, DoS attacks, and botnets. Describes and analyzes important measurement problems related to the deployment of "Dark network", evaluation layout, service configuration, and data collected by "Dark network. As a support, we have used Internet motion sensor (IMS) operation data for up to four years, the distributed "Dark network" of this network monitors traffic from 60 different IP address blocks in 19 organizations in 3 continents.

First, we will describe how to install and configure "Dark network" to direct traffic destined for unused addresses to the monitoring system. Then we analyze the data from different sizes of "Dark network" to evaluate the storage and network resources required for "Dark network" measurement. Then we discussed how the "Dark network" layout in the address space and network topology affects the visibility of the monitoring system. We also described how message response affects visibility. Specifically, we show how the interaction is described in the response-free, SYN-ACK response, simulation system, application-level response, and real honeypot host response, this interaction provides intelligence about network events and threats. Finally, by understanding how to deploy and configure the "Dark network" monitor, we describe the different methods used to identify important events from the data collected by the "Dark network" monitor.

The "Dark network" provides a large amount of high-dimensional measurement data, which is divided into four categories:

1. Attackers attempt to infect themselves through worms, botnets, and tools;

2. misconfigured application requests and responses;

3. Reverse spoofing DoS Attacks;

4. Network Scanning and detection.