The Dark Internet

The Dark Internet

Broadband customers, some military systems and people who are spammed or hacked are the most common victims of an online phenomenon researchers have dubbed “dark address space,” which leaves some 100 million Internet Web hosts completely unreachable from portions of the Internet.

For a variety of reasons ranging from contract disputes among telecommunications network operators to simple communications devices being mis-configured, over five percent of the Internet’s deliverable address space does not connect globally

Isn’t the Internet supposed to be a 100% connected system?

Popular belief holds that the Internet represents a completely connected system. It turns out that’s just not true.

Anecdotal evidence has long hinted at the existence of dark address space, but researchers have just shed light on the subject by continuously gathering and analysing core “routing tables” for over three years. In the end, they found that for much of the Internet, the shortest path between two points doesn’t exist.

What causes dark address space?

The most common factors contributing to dark address space are: aggressive traffic filtering by network administrators seeking to ease the load on equipment, and accidental mis-configuration. Some military sites frequently fall into the shadow zone because they often occupy neglected ‘Milnet’ address blocks dating back to the Internet’s stone age. Just why broadband modem customers also top the list remains one of the great unsolved mysteries.

Murky Crime

Despite the large number of hosts that fall into the partitioned space, the phenomenon may not always be noticeable to average Internet users because most Internet consumers only use a tiny portion of the Net. It is suggested most people access only five or ten web sites on average.

In the course of monitoring, occasional fleeting glimpses were observed of another, more elusive routing anomaly, one that often comes with a more sinister explanation.

Blocks of Internet address space that are supposed to be unused sometimes briefly appear in the communications router systems, and are used to launch a cyber attack, or to send a flurry of unsolicited commercial email, before being withdrawn without a trace.

How can attackers and spammers gain access to these systems?

Dubbed “murky” address space, this works because of the fundamental insecurity of the Internet’s communications routing infrastructure. Under protocols developed during cyberspace’s age of innocence, if an Internet router claims that it owns a block of address space, the rest of the Internet will take it at its word, and re-direct to it to it all the traffic for that address block. You co-opt one router, and you can create whatever net-block you want and inject it into the global net.

How were these intrusions detected in the first place?

Network researchers went to the mail logs of an ISP and compared several thousand unique mail sources with “murky” addresses spotted in their monitoring. They found that some of those addresses sprang into existence shortly before sending the email, and then quickly vanished afterwards.

Because communications routers don’t normally log such activity, murky address space could hide the full range of antisocial or illegal network behaviour.

Is this going to an on-going problem?

In October, a report from Carnegie Mellon’s CERT Coordination Centre warned that hackers are increasingly compromising routers, and using them to launch denial of service attacks against Internet hosts.