Off the grid: the darknet exposed

We're going down two separate tangents with this article because there are two definitions of the word 'darknet'.

The first is 'the darknet'. In parallel with 'the internet', this refers to IP addresses that may well be in use but which aren't publicly known and aren't indexed by search engines. They have no associated DNS name, so if you don't know about them then they may as well not exist.

They cover corporate servers that don't need to be advertised to the world, IP addresses that are allocated but unused and research machines left as bait for hackers and malware.

The second definition (which is 'darknets') is used to define groups of computers on the internet and the technologies they run that enable them to share digital content. Traditionally this content is stolen, but as we'll see, darknets are also providing a method of distributing legitimate content.

Before we delve into that murky world, though, let's look at how the first 'darknet' works.

Setting the trap

How do you catch a hacker? This question has occupied online security researchers for as long as hackers and malware writers have been a threat.

The problem with internet traffic is its complexity. How do you determine whether a connection request is legitimate? Luckily, the darknet hides an ingenious technique that can spot malicious traffic without fail.

The idea is deceptively simple. An un-patched computer is left unannounced on a 'dark' IP address and the researchers wait for it to become infected with malware, or hacked for use as a platform for launching attacks against other targets.

Reports vary, but the time before infection or subversion takes place in these circumstances has been clocked at just four hours from first going online. However, not all is as it seems.

This harmless-looking computer is nothing of the sort. It's actually a sophisticated decoy system running software that takes connection requests and emulates the responses of a real computer, right down to the patch level of its services. The hacker or malware is caught in a 'honeypot', like Winnie the Pooh trying to get at his favourite sticky treat.

Some honeypots are 'sticky', meaning they deliberately run slowly to keep hackers busy and to slow the spread of malware. All interactions with the honeypot are recorded for later analysis, and anti-malware companies develop their products in direct response to the results gathered by their honeypots.

Because of the way the TCP/IP protocol and the internet's routers work, it's impossible for traffic to be misdirected unless it's done deliberately. Packets may become lost along the way, but that's a problem of congestion rather than misdirection.

By deliberately placing a honeypot system on a 'dark' IP address, any connection requests must have come from malware looking for new PCs to infect or from hackers looking for new systems to subvert and take over. The technique is also known as an 'internet motion sensor' or 'internet telescope'.

Using the same technique, researchers can also gauge the level of distributed denial of service (DDoS) attacks happening at any one time. This works because the source addresses of the packets sent in a DDoS attack are usually randomised to make it harder for the victim to quench the ongoing barrage.

The acknowledgement packet sent automatically by the target for each connection request is sent to these random addresses and is known as 'back scatter'. Some of these return addresses are dark addresses belonging to online security companies. Analysis of the received packets can determine the target, and analysis of how packet sequence numbers increase over time can gauge the severity of the attack.

Malware and automated target-identification software automatically scans vast blocks of public IP addresses looking for telltale signs that a computer is listening. You can monitor for such activity at home using your own honeypot, such as the free Windows Honeybot produced by Atomic Software Solutions.