Comparative analysis of darknet traffic characteristics between darknet sensors

摘要

Today, Internet is incessantly attacked by wide variety of network-based threats. One of the ways to monitor or identify such prevailing threats is to monitor incoming traffic to unused network addresses popularly known as darknet and often also referred with various other names like network telescope or black hole. As, all the traffic arriving at darknet is mainly the result from malicious probing or mis configuration in the network. It is expected that to have similar incoming traffic behaviour across different darknet sensors, however, various studies found it different. Various reason cited behind it is misconfiguration, certain kind of attack, difference in filtering parameter or system configuration itself. However, concrete reason beside this is still missing. In this regard, to get further understanding, in this study, we performed deeper comparative analysis between two darknet sensors (KISTI Darknet network) that are differently located but have similar filtering and system configuration. Comparative analysis considering total incoming packet, number of source host, targeting destination port and protocol revealed that there exists wide difference in incoming traffic characteristics between the darknet sensors. Moreover, for TCP and UDP comparison, UDP traffic showed more targeting behaviour to particular darknet block (difference in traffic characteristics between darknet sensors), in contrast to it, TCP traffic showed more scanning behaviour (similarity in traffic characteristics between darknet sensor).