Off the grid: the darknet exposed

8th Nov 2009 | 17:19

Off the grid: the darknet exposed

Explore the uses and abuses of the net's darkest corners

How the darknet works

We're going down two separate tangents with this article because there are two definitions of the word 'darknet'.

The first is 'the darknet'. In parallel with 'the internet', this refers to IP addresses that may well be in use but which aren't publicly known and aren't indexed by search engines. They have no associated DNS name, so if you don't know about them then they may as well not exist.

They cover corporate servers that don't need to be advertised to the world, IP addresses that are allocated but unused and research machines left as bait for hackers and malware.

The second definition (which is 'darknets') is used to define groups of computers on the internet and the technologies they run that enable them to share digital content. Traditionally this content is stolen, but as we'll see, darknets are also providing a method of distributing legitimate content.

Before we delve into that murky world, though, let's look at how the first 'darknet' works.

Setting the trap

How do you catch a hacker? This question has occupied online security researchers for as long as hackers and malware writers have been a threat.

The problem with internet traffic is its complexity. How do you determine whether a connection request is legitimate? Luckily, the darknet hides an ingenious technique that can spot malicious traffic without fail.

The idea is deceptively simple. An un-patched computer is left unannounced on a 'dark' IP address and the researchers wait for it to become infected with malware, or hacked for use as a platform for launching attacks against other targets.

Reports vary, but the time before infection or subversion takes place in these circumstances has been clocked at just four hours from first going online. However, not all is as it seems.

This harmless-looking computer is nothing of the sort. It's actually a sophisticated decoy system running software that takes connection requests and emulates the responses of a real computer, right down to the patch level of its services. The hacker or malware is caught in a 'honeypot', like Winnie the Pooh trying to get at his favourite sticky treat.

Some honeypots are 'sticky', meaning they deliberately run slowly to keep hackers busy and to slow the spread of malware. All interactions with the honeypot are recorded for later analysis, and anti-malware companies develop their products in direct response to the results gathered by their honeypots.

Because of the way the TCP/IP protocol and the internet's routers work, it's impossible for traffic to be misdirected unless it's done deliberately. Packets may become lost along the way, but that's a problem of congestion rather than misdirection.

By deliberately placing a honeypot system on a 'dark' IP address, any connection requests must have come from malware looking for new PCs to infect or from hackers looking for new systems to subvert and take over. The technique is also known as an 'internet motion sensor' or 'internet telescope'.

Using the same technique, researchers can also gauge the level of distributed denial of service (DDoS) attacks happening at any one time. This works because the source addresses of the packets sent in a DDoS attack are usually randomised to make it harder for the victim to quench the ongoing barrage.

The acknowledgement packet sent automatically by the target for each connection request is sent to these random addresses and is known as 'back scatter'. Some of these return addresses are dark addresses belonging to online security companies. Analysis of the received packets can determine the target, and analysis of how packet sequence numbers increase over time can gauge the severity of the attack.

Malware and automated target-identification software automatically scans vast blocks of public IP addresses looking for telltale signs that a computer is listening. You can monitor for such activity at home using your own honeypot, such as the free Windows Honeybot produced by Atomic Software Solutions.

Creating a honeypot

Honeybot is a 'low interaction' honeypot. That is, it's designed to be left to defend the network on its own without needing much human help.

Before you install it, however, explicitly run an update to your antivirus system. Now run Windows Update and install all the patches you've been putting off installing. Finally, ensure that Windows Firewall is running.

Honeybot emulates open ports to mimic services that are traditionally exploited by malware and hackers and then captures all the traffic and logs the results. Should someone or something try to inject an exploit via an open port, Honeybot safely stores the file for later inspection. Atomic Software Solutions says its own Honeybot server has captured thousands of exploits.

To install Honeybot, run the executable. At the resultant dialog, click 'Next', accept the agreement and press 'Next' again. When prompted, leave the installation location and Start menu folder as they are. You can create a desktop icon and autostart the honeypot by selecting the two checkboxes on the resulting screen. To finish, click 'Next', and finally 'Install'.


HONEYPOT:You can configure Honeybot to sound an alert when it detects incoming connections

Once installed, start Honeybot and the user interface will appear. A pop-up box will ask if you want to configure it now. Press 'Yes' and the Configuration window will open. This has four tabs. The first, General, lets you define whether Honeybot starts at system boot-up.

You can also define whether you receive an audible warning of incoming connection requests, whether to capture any binaries injected into the honeypot and whether you want the log to rotate.

Rotation is a technique that limits the log's size by overwriting older entries with new ones, thereby saving disk space. You can also enter a descriptive name for the server on this tab, which will be seen by hackers and malware connecting to some faked services such as telnet and FTP.

The second tab, Email Alert, allows you to have Honeybot send you an email when it detects an attack. Simply enter the name of the mail server it should use (your ISP's SMTP server, for example) and the recipient's email address. You should leave the port number at 25, as this is the standard port for outgoing mail.

If you'd like to help Atomic Software Solutions track attacks as they happen, the third tab, Reports, is for you. Simply tick the 'Upload Logs' box and, if you have chosen to rotate your logs, they'll be uploaded anonymously to a central server.

Finally, the Updates tab enables you to automatically install Honeybot's updates. This is very important, as honeypots need to be as secure as possible and any vulnerability needs patching as it appears. Finally, click 'OK' and then press the blue 'Start' button on the main user interface.

If you hover the mouse over these buttons, a tool tip will tell you what they all do. If you have multiple network adaptors on the machine (which will be the case if your machine is connected both to your home's internal network and to an internet modem), Honeybot will present a pop-up box asking which networks it should monitor. Select 'All' for the moment and press 'OK' to continue.

At this point, Windows Firewall should leap into action and ask if you want to keep on blocking Honeybot or if you'd rather let it through. Select the 'Unblock' option and Honeybot will create its fake ports and the services behind them.

After a few minutes, Honeybot may start alerting you to incoming traffic, but we can also explicitly test its responses. To do so, open a web browser and go to Select 'Quick Scan', click to say that you agree to the terms and conditions and press the 'Scan Now!' button.

nmap online

QUICK SCAN:The online Nmap port scanner will soon tell you if Honeybot is doing its job

After a few seconds, traffic should begin to be visible in Honeybot. When Nmap has finished its scan, it should report that lots of (thankfully fake) ports are open.

To turn the source IP addresses of incoming traffic into more meaningful names, go to, enter the IP address and hit [Enter]. This free service looks through DNS registries to find information about the domain that owns the IP address in question.

Inside darknets, the darker networks

Darknets, as opposed to 'the' darknet, are groups of networked computers and the technologies they run that enable them to swap files. This is usually done illegally, but that's not the only way they're used.

Darknets began life long ago as 'sneaker nets': loose associations of individuals and friends with lists of CDs and tapes they were willing to swap. As the internet took off in the 1990s, geography stopped being a constraint on the activities of sneaker nets.

The original internet-based darknets were simply insecure or public FTP servers where users could upload stolen files for others to download.

Reaching the peak of their popularity in around 1998, such servers were easily shut down by law enforcement agencies. In response, illegal file sharers moved to peer-to-peer technologies to cover their tracks.

In a paper presented to the 2002 Association of Computing Machinery Workshop on Digital Rights Management, four researchers from Microsoft charted the rise of internet-based darknets.

One file-sharing system they singled out was Napster. "There should be little doubt," said the researchers, "that a major portion of the massive (for the time) traffic on Napster was of copyrighted [files] being transferred in a peer-to-peer model in violation of copyright law."

Napster claimed not to store any copyrighted material, but it did maintain a central database of who had what content for download. This was its Achilles' heel, but as the Microsoft researchers rightly pointed out, "ultimately the darknet-genie will not be put back into the bottle".

Their prediction soon came true. After the demise of Napster in July 2001, the Gnutella protocol became popular. Programmers coded their own Gnutella clients and users formed peer-to-peer darknets with them to swap content.

This time, however, there was no central database of who had what file. Instead, the protocol swapped this information directly between the users' computers.

Today, BitTorrent has become the most widely used darknet protocol on the internet, and it accounts for around 40 per cent of all traffic.


VUZE:Peer-to-peer clients like Vuze aren't just used by pirates: they're also used to download legitimate content

However, the way this and other peer-to-peer protocols share files also make them ideal for streaming huge, legitimate files such as Linux distributions without putting undue stress on any one PC.

The BBC's iPlayer streaming media service originally used Kontiki's peer-to-peer technology, as do Sky Anytime and Channel 4's On Demand service. The darknet genie may be out of the bottle, but it's certainly not all bad.


First published in PC Plus Issue 287

Liked this? Then check out Network scanning secrets revealed

Sign up for TechRadar's free Weird Week in Tech newsletter
Get the oddest tech stories of the week, plus the most popular news and reviews delivered straight to your inbox. Sign up at

Follow TechRadar on Twitter

security Hacking
Share this Article

Most Popular

Edition: UK
TopView classic version