Detecting Malicious and Blacklisted IP Addresses Through Daily Darknet Traffic Analysis

Not long ago, the world began to recognize the importance and potential dangers of various types of network vulnerabilities. Cybercriminals can exploit these vulnerabilities to obtain confidential and personal information from the average web user’s computer. As a result, researchers have recently started to closely examine what countermeasures can be developed to address different network vulnerability issues.

A recently published paper proposed using darknet traffic to detect “blacklisted” IP addresses—those used by attackers to spread spam and malware. The researchers collected 8,192 IP addresses within the darknet and then monitored the traffic associated with these IPs for one month. In this article, we’ll look at the method proposed by the authors and how it can help minimize threats affecting vulnerable networks.

Proposed Process for Identifying Blacklisted IPs

Before diving into the proposed process, it’s important to understand the different types of “darknet packets” collected during the experiment. The collected packets were mainly real attack packets, scanning packets, and misconfiguration packets. Scanning packets are used for preliminary reconnaissance before actual attacks. Misconfiguration packets represent various data management errors that occur during network interactions.

Darknet information consists of several elements:

• Source IP address and port
• Destination IP address and port
• Payload (the actual data transmitted)
• Event timestamp, and more

The method proposed by the authors focuses on the source IP addresses found in the collected darknet data packets. The researchers selected the top 10 IP addresses from the daily collected data. Whenever the number of incoming packets associated with a source IP address increases, the likelihood of malicious activity rises.

The diagram below (not included) illustrates the proposed process for detecting blacklisted IP addresses, which relies on a service called “VirusTotal.”

• VirusTotal can provide scan results from almost any antivirus solution.
• 1) The top 10 IP addresses are analyzed using VirusTotal to determine if they are malicious.
• 2) The next step is to compare the packets collected via VirusTotal with those collected on any other random day.

Ultimately, if the day the source IP addresses were collected predates the day they were flagged by VirusTotal, then malicious IP addresses can be identified early through darknet monitoring.

Experimental Results

The proposed experimental process collected 8,192 destination IP addresses in the darknet and the associated darknet traffic in August 2016. This resulted in the collection of 277,002,257 darknet data packets and 8,392,962 source IP addresses. The chart below (not included) shows the total number of malicious IP addresses compared to monthly recurring IP addresses.

The experiment revealed a daily count of 142 recurring IP addresses. Additionally, a total of 34 monthly recurring IP addresses were identified. Thus, the results of the experiment may vary depending on the monitoring period and the number of source IP addresses.

The detection results for malicious IP addresses were obtained by analyzing fresh URLs, monitoring files downloaded from these IP addresses, and tracking the latest files that interacted with these specific IPs, among other methods.

This study presents a practical analysis and classification using darknet information, despite the fact that analyzing darknet data packets is a rather complex task. The proposed process relied on analyzing top-level domain IP addresses to detect blacklisted or malicious IPs. The experimental results showed that longer monitoring periods yield more accurate results. The researchers recommended repeating the experiment over longer periods (a week, a month, etc.) to improve the effectiveness and accuracy of the results, which can help in building more advanced management systems.