Darknets provoke both admiration and contempt. These shady networks exploit the infrastructure of the Internet but stand apart from it. To some, they are a means of achieving freedom on the net - from surveillance or control. To others, they are the chosen mechanism of criminals, terrorists and paedophiles. In truth, they are all these things.

The term ‘darknet' gained traction after Microsoft researchers Peter Biddle, Paul England, Marcus Peinado and Bryan Willman gave a paper at the 2002 ACM Workshop on Digital Rights Management.¹ This was a largely conceptual document, but debate about - and indeed, use of - darknets in the intervening years hasn't refined the definition much. In fact, ‘darknet' is used as a term to cover a variety of technologies and practices. These include what others might term the ‘deep web', consisting of unindexed web pages that you can find only by knowing about them.

Most commonly, however, true darknets have some key characteristics:

* They are decentralised, using peer-to-peer technology - most commonly for file sharing.

* They use the infrastructure of the Internet for their traffic and connections

* They use non-standard protocols and ports - in that way, they operate apart from the common Internet, and are therefore unreachable by outsiders.

Dark and not so dark

There are many systems that satisfy some of these conditions, but which don't quite qualify. "The most widespread file-sharing networks, such as Kazaa, are not true darknets since peers will communicate with anyone else on the network," says Peter Wood, member of the ISACA Conference Committee and founder of First Base Technologies.

Skype is effectively a closed network, using its own ports and protocols where each client communicates only with other Skype clients. And with its peer-to-peer file sharing capabilities, some people delight in calling Skype a darknet. But as anyone can join - and millions are using it at any given time - there's not much about it that's dark.

The darknets of popular legend tend to be somewhat more exclusive, perhaps none more so than the US military's Secret Internet Protocol Router Network (SIPRNet, pronounced ‘sippernet'). Although this uses Internet protocols - TCP/IP, http etc - this network of networks, which carries classified material up to ‘secret' level, is airgapped from the public Internet. The US also has its Nonsecure Internet Protocol Router Network (NIPRNet) for unclassified material and to provide a gateway from military systems to the public Internet. It also occasionally provides a backbone for SIPRnet material which is tunnelled through the NIPRnet infrastructure (so-called ‘SIPR over NIPR').

Public Internet

Of course, the US military has the resources to create its own, independent physical infrastructure. The rest of us - whether our intentions are good or bad - have to use the public Internet.

There are some well-known darknets, such as the FreeNet Project.² Anyone can load FreeNet software on their machines to become a node on the network, allocating disk space and bandwidth. It's widely used for file-sharing including, it's often alleged, porn of various shades of illegality and the kinds of documents that might make you fall foul of the UK's new anti-terrorism laws. Files are encrypted in the hope that anyone caught giving a home to dubious material can't be held accountable for them. That's currently untested, but in the UK it's not a defence likely to stand up against the Regulation of Investigatory Powers Act 2000, especially the part that enforces the disclosure of encryption keys.

File sharing is arguably the biggest use of darknets. The P2P sharing of music and even TV channels made available by the likes of Sopcast.com, Justin.tv and Zattoo.com show just how popular, and overt, this has become. And ISPs sometimes despair over the amount of bandwidth consumed by BitTorrent traffic.

The popular protocols and packages consitute a big chunk of what many would describe as darknets. However, the truly dark regions are custom-built. Indeed, the authors of the 2002 Microsoft paper envisaged students hacking away at instant messaging clients to provide peer-to-peer file sharing around their dorms. With the advent of tools such as BitTorrent (which is open source) and protocols like Waste and Gnutella, building your own P2P clients has become much easier.³ But who is actually using these darknets?

Who's using them?

"It's an enormous array of different networks and actors," says Eli Jellenç who manages the international cyber-intelligence team at iDefense. He points to military users and the peer-to-peer, file-sharing and copyright-infringing community. But it's more than that. "There are dual-use networks, like BitTorrent, with combinations of media that are free to share and copyrighted material. And in countries that are under heavy censorship regimes, for example in the Middle East, China and so on, there are similarly designed darknets for dissidents, or people who just don't enjoy being monitored."

Above all, he says, you have the criminal underground. Cyber-criminals use darknets for exchanging information, and transferring and storing data, such as stolen credit card details and aggregated data used for ID theft data-mining.

"A lot of hackers are also simply stockpiling information," says Neil O'Neil principal digital forensics investigator and ethical hacker at the Logic Group. "Let's say I want to break into a system, and it's one I don't know too much about, like an old ICL mainframe. I'll go out to my hacking community and someone will have, in their reference library, an admin manual."

Each member of this loose-knit community stores information and documents regardless of whether it's of interest to them personally, he says, because one day someone might need it.

But there isn't one big darknet. "The cybercrime underground worldwide is not a uniformly interconnected network," says Jellenç. "It's mainly broken down by language groups. For example, the interconnections between the Brazilian cyber-criminal sites are far more dense than those between that language group and other language groups. Similarly, russophone cyber-criminals interact far more with each other than with other language groups. There are some important connections between them, generally through English-language networks, but it just doesn't add up to a truly interconnected cybercrime underground."

Software and algorithms

Each darknet may use its own client software and encryption algorithms. If the users are employing their own servers, these won't appear in any DNS databases.

In many cases, criminal groups will hack into other people's servers to use spare capacity for storing files, using SSH tunnels to keep the traffic encrypted and hard to monitor. IP addresses, passwords and encryption keys are either passed on hand-to-hand among trusted people, or may be transmitted, encrypted, over SMS or instant messaging - both methods where there is little logging of messages - or through throw-away email accounts.

Criminals are making greater use of encryption. "We've seen it increase, especially in the past two or three years," says Jellenç. "This is because law enforcement and public sector researchers such as ourselves are growing better at finding these locations. So their security through obscurity wasn't proving enough. For example, we could find examples of their malicious code and follow it back to the command and control servers."

Some groups will make use of common tools such as  PGP. But they also employ tailormade encryption systems that are available via hacking forums. They're not usually as strong, but they're good enough and have the benefit of fast key generation.

Jellenç estimates that there are 1,000-5,000 important criminal darknets globally. "I realise that's an enormous range," he says, "but it's fluctuating and growing rapidly." Often they're only needed for a short while because the compromised servers, or even entire darknets, may have only a short life as they are used for a specific purpose or are discovered. "Every year there'll be a major law enforcement operation that's been under development for a couple of years which throws the whole community into disarray for a while," Jellenç adds.

Protecting yourself

It sounds as though, from the point of view of an information security professional, with responsibility for an organisation's network, this is all happening ‘out there', with no real impact on your own systems. And, by and large, that's true.

The dangers lie in one of your employees firing up a file-sharing client or, more serious, one of your servers becoming compromised, either hacked directly or as part of a botnet.

A tightly configured corporate firewall should prevent packets going out over non-standard ports, or spot traffic using strange protocols. But life isn't always that simple.

"That will eliminate many of the more simplistic, more widespread attempts," says Jellenç. "It will eliminate a great deal of the danger. However, at the high end of sophistication, there are groups who are pretty good at tricking the firewall and slipping through as legitimate traffic." For example, he says, they may tunnel data through commonly used ports. And the use of encryption may make dubious packets hard to spot.

The situation is made more complex by the number of ports that are used legitimately these days. The trend was set by Microsoft's NetMeeting. Now there are many applications that require open ports to the Internet. Some may use dynamic ranges. It all makes for huge complexity when writing and maintaining firewall rules. And, let's be honest, not every network admin is a genius when it comes to these rules. Poorly written and inadequately monitored firewalls are a prime source of corporate insecurity.

Fighting crime

The good news is that greater awareness of cybersecurity is having an effect. According to Jellenç, the use of hacked corporate servers as storage space is becoming less common - at least in the developed world. The criminals are now looking elsewhere.

It's difficult to find and monitor darknet activity through technical means. So how do the authorities find the bad guys?

"Through participation in the global criminal forums," says Jellenç. These forums attract a lot of beginners and the lower echelons of the cybercrime world, he says. They're also the hangout of many criminal groups in Eastern Europe and Asia because the forums provide easy business opportunities and they have reason to believe there's very little chance of them getting caught. "Law enforcement can get a foothold in these forums," says Jellenç. Once they've built trust, they can get access to the shadier, more sophisticated groups. Law enforcement agents also follow the money, through co-operation with financial institutions. In other words, it's all classic police work, rather than technological wizardry.

Just a technology

One shouldn't go away thinking that darknets are all about crime, however. In times of oppressive government regimes, they are a conduit for free speech. Used wisely, and with the proper respect for intellectual property, they can help share information and spread culture.

Darknets are just a technology. It's what you do with them that counts.

References

1. 'The Darknet and the Future of Content Distribution', Peter Biddle, Paul England, Marcus Peinado, and Bryan Willman, Microsoft Corporation, 2002. http://www.bearcave.com/misl/misl_tech/msdrm/darknet.htm

2. The FreeNet Project: http://freenetproject.org

3. Gnutella: http://www.gnu.org/philosophy/gnutella.html

Waste: http://en.wikipedia.org/wiki/WASTE