Wiki
internet background noise
Internet Background Noise #
Internet background noise (IBN) consists of data packets on the Internet which are addressed to IP addresses or ports where there is no network device set up to receive them. These noise packets are the result of port scans and worm activities.
A nice view of the internet background noise
http://www.switch.ch/security/services/IBN/
Dark Internet #
Part of routed IP space in which no active services or servers reside.
Trafic received on these adresses is considered as Internet background noise.
Monitoring incoming traffic on part of this adress space can be used to build intrusion prevention systems.
Ressources #
The Team Cymru Darknet Project http://www.cymru.com/Darknet/
A Darknet is a portion of routed, allocated IP space in which no active services or servers reside. These are "dark" because there is, seemingly, nothing within these networks.
Any packet that enters a Darknet is by its presence aberrant. No legitimate packets should be sent to a Darknet. Such packets may have arrived by mistake or misconfiguration, but the majority of such packets are sent by malware. This malware, actively scanning for vulnerable devices, will send packets into the Darknet, and this is exactly what we want.
Darknets have multiple uses. These can be used to host flow collectors, backscatter detectors, packet sniffers, and IDS boxes. The elegance of the Darknet is that it cuts down considerably on the false positives for any device or technology.
The network telescope http://www.caida.org/analysis/security/telescope/
A network telescope is a portion of routed IP address space on which little or no legitimate traffic exists. Monitoring unexpected traffic arriving at a network telescope yields a view of certain remote network events. Among the visible events are various forms of flooding DoS attacks, infection of hosts by Internet worms, and network scanning.
Internet Motion Sensor http://ims.eecs.umich.edu/
The Internet Motion Sensor (IMS) is a globally-scoped threat monitoring system whose goal is to measure, characterize, and track emerging threats such as worms, denial of service attacks and network scanning activities. The IMS utilizes a large collection of distributed sensors that monitor blocks of globally routable unused address space. Because the blocks contain no active hosts, the traffic must be the result of misconfiguration, backscatter from spoofed source addresses, or scanning from worms and other probing.