The Deployment of a Darknet on an Organization-Wide Network: An Empirical Analysis

TitleThe Deployment of a Darknet on an Organization-Wide Network: An Empirical Analysis
Publication TypeConference Papers
Year of Publication2008
AuthorsBerthier R, Cukier M
Date Published2008/12//
Keywordsattack traffic, backscatter, darknet sensors, external source IP address, malicious traffic, organization network, organization-wide network, TCP scan, telecommunication congestion control, transmission control protocol, Transport protocols
Abstract

Darknet sensors have the interesting property of collecting only suspicious traffic, including misconfiguration, backscatter and malicious traffic. The type of traffic collected highly depends on two parameters: the size and the location of the darknet sensor. The goals of this paper are to study empirically the relationship between these two parameters and to try to increase the volume of attackers detected by a given darknet sensor. Our empirical results reveal that on average, on a daily basis, 485 distinct external source IP addresses perform a TCP scan on one of the two /16 networks of our organizationpsilas network. Moreover, a given darknet sensor of 77 IP addresses deployed in the same /16 network collects on average attack traffic from 26% of these attackers.

DOI10.1109/HASE.2008.54