I have searched through the internet about creating a darknet and there is a confusion.

There are two definitions, the first one is network used for private p2p (like freenet) and another one that refers to the "blank" IPs of a network and a way of protecting it by learning who is scanning the blank IPs.

I guess the tor and freenet are some darknets, but I want to create my own darknet. So is there a guide of how to create a darknet-network on my own(the second definition), for the sake of network security testing?

    Which of the definitions are you wanting to create? What are you trying to achieve, and what do you plan to use it for? A little more specificity will go a long way to getting a proper answer. – lynks Jan 16 '13 at 12:12
  • The definition I found says: Darknet - Noun - "A computer network with restricted access that is used chiefly for illegal peer-to-peer file sharing." So, @lynks has the question, what do you want? A P2P network or a network on which to try pen-testing. – Jeff Jan 16 '13 at 12:18
  • I am not interested for illegal peer-to-peer...I am not interested for the first definition.I am interested for the second definition, i want to create a network to try pen-testing, i also installed a ids and a honeypot so now i need a darknet, to increase security.. – Jack Jan 16 '13 at 12:25
  • For darknet definition disambiguation, see also the answer to [Are darknets in the internet like Tor and i2p similar to darknets implemented for security like the CAIDA network telescope.?](http://security.stackexchange.com/a/89075/32746). – WhiteWinterWolf Jan 02 '16 at 16:25

5 Answers5


This answer is based on my personal experience building and participating in a number of darknets. I haven't interacted with them in a security perspective, but I have been involved heavily in one (Anonet) and helped found another (Underlink, which is now mostly defunct).

The most important thing to know about a darknet is the definition. My definition of a darknet is a private network with internet-like routing between peers, often on the infrastructure of the actual internet. This is not an all-encompassing definition, this is just the one I am most familiar with.

In practice, what you need to start a darknet are direct connections between machines. These machines will be peers. You can plug an ethernet cable from one computer to another (but usually the machines are hundreds of miles away), or you can setup point-to-point virtual tunnels (I have used quicktun, sigmavpn, and openvpn in the past).

Now that you have two machines directly connected, they need to do some kind of routing. The clients on your darknet are going to want to send packets to arbitrary IP addresses and expect them to get them. This is where your routing comes in. The darknets I have participated in typically use BGP routing. Each server interested in participating in routing typically gets its own ASN (e.g. AS3090). When two machines peer, there is now a connection between the two machines, and the BGP routing daemons you run will be configured to advertise it.

A sample network map will look like this (this is an old visual map of the actual BGP setup on Anonet6): Old visual map of ano6

Each bubble represents a machine doing routing on Anonet. Typically each machine here would get a /24 (the above map is of ano6, but I'll use IPv4 terminology because it's the same idea), and be free to assign addresses inside that however it wanted; that machine would handle final routing for them.

So let's say that AS3090 (lex, in the middle) is a dedicated machine in some datacenter. All of my computers, though, connect to that server using some standard VPN software (OpenVPN, in this case), and are given addresses on AS3090's /24. If one of my machines connected to AS3090 wants to send a packet to a machine in AS31416 (far right of the map), it has a few simple options:

AS3090 (lex) -> AS1112 (UFO)     -> AS31416 (JCS)
AS3090 (lex) -> AS404 (chris)    -> AS31415 (JCS) -> AS31416 (JCS)
AS3090 (lex) -> AS404 (chris)    -> AS405 (chris) -> AS31416 (JCS)
AS3090 (lex) -> AS2323 (achedaz) -> AS1112 (UFO)  -> AS31416 (JCS)

(this is just a subset of possible paths)

This is all part of the BGP routing framework (fwiw, I used bird and bird6 to handle BGP routing advertisements, but there are many other programs that will do this; it's not necessary that peers use the same software, either).

The first path in my list is the shortest (in number of hops, not necessarily in terms of latency, since each hop could be, and often is, located on a different continent), so the packets will take that path there. The response packets may well take a different path back, but that's not important; as long as they get to the origin server, they can still talk.

The beauty of this setup is that it functions just like the real internet (in fact, core parts of the internet use BGP routing just like this). If AS3090 (lex) loses its connection with AS1112 (UFO), then the packets will automatically choose a different path to AS31416. It's redundant in this way.

This also makes darknets very good for anonymity. If I am AS12345 (dBZ, top middle), the only person on the entire network who knows my true IP (in the case of virtual tunnels over the internet; otherwise, this applies with direct connections or so) is my only peer, AS1 (r101). The rest only see my internal IP inside AS12345's subnet. For authorities, or anybody else, to find out AS12345's location/IP, they have to follow the chain of peers and break each one to find out who they're connecting with. This can be extremely expensive on large darknets, since peers often cross borders (in Anonet, we actually planned out to cross borders for additional anonymity).

This stuff is pretty easy once you understand it. The hard part in growing a network like this is that it's decentralized. Anonet split in half multiple times during its life. The peering between AS3090 (lex) and AS757 (Vutral) could break at any minute, and those two halves of Anonet would completely cease to be connected. But the people in each half would still be able to talk to eachother. You can cut the darknet in half and it still survives.

But typing in a friend's IP address to access their services (websites, file sharing, whatever) isn't fun. You want DNS, right? Well, that requires some central authority to make sure nobody is infringing on eachothers' claims. On Anonet, the way we "solved" that was with something called "resdb": a git repo containing a set of claims. Anybody could make claims and commit changes. The key was to get others to accept your changes into their copy of the git repo. This meant that different people had different versions of the repo, so for some people a domain doesn't exist, for others it does, and for others it might exist but point somewhere completely different. (resdb contained a set of files and scripts to generate zone files for BIND and similar so that anyone could run their own DNS server for the ano. TLD).

But you don't just need DNS reservations to be unique. IP allocations should be unique, too. Wouldn't we all like to be If multiple people are using that, we get conflicts, which means that those go in resdb as well and you need to convince people to accept your claims. You also need to handle AS number reservations and a dozen other things that ICANN handles on the internet. It turns into a big mess and it's very hard to scale since there is no central authority which has the final say on reservations.

I hope this gave you a bit of an idea of what a darknet is. Again, this is not a full definition, it's just based on my experiences, and a lot of it isn't really relevant to your goal. I know, for example, that some people have attempted to create darknets by using consumer routers flashed with DD-WRT (to connect geographically close peers together) rather than using the existing infrastructure on the internet.

If you have any questions, please feel free to ask for clarification. I'm no expert, but I have played around with this stuff quite a bit just out of pure interest.

You can read more about Anonet here (some of the information is outdated, though).

  • A good write-up (+1 from me), although not necessarily what the OP wants. Think this answer deserves a separate question. – Deer Hunter Jan 18 '13 at 21:38
  • @DeerHunter I think you're right. I read the title (saw "darknet") and not much else in my excitement to finally have some experience to share. I'll post this as an answer on one of the other SEs and delete this response. – Tom Marthenal Jan 18 '13 at 22:12
  • No! Nothing prevents you from asking an Anonet question and providing this answer. This topic is relevant to Security SE; I know at least one person who'd add this Q/A to favorites. – Deer Hunter Jan 19 '13 at 05:33
  • I would agree with @DeerHunter, +1 – pnp Jan 19 '13 at 10:50
  • If you are wondering about the SE rules on asking/answering your own question, it is [explicitly encouraged](http://blog.stackoverflow.com/2011/07/its-ok-to-ask-and-answer-your-own-questions/) and has been since the start. As Deer Hunter says, this sort of content is relevant to security. –  Jan 19 '13 at 14:48
  • Thanks for the help. I started a new question and tried to expand my answer. You can see it [here](http://security.stackexchange.com/questions/29366/what-are-darknets-and-how-can-they-be-used-to-provide-security-and-anonymity-in). Please feel free to provide feedback or edit it directly. I haven't really posted a big write-up like this before. Thanks! – Tom Marthenal Jan 20 '13 at 07:19

This is what I think of when I hear "DarkNet" in a security context. In other places A DarkNet may be known as a Network Telescope.

It's a concept little like a HoneyPot except that where a HoneyPot will interact with the attackers, sending packets back and allowing TCP connections to form, a DarkNet will never let any packets back out. The purpose of a HoneyPot is to capture the exploit and/or the payload. The purpose of a DarkNet is to detect the sources of malicious traffic (by definition, all traffic entering a DarkNet is abnormal and suspect as being probably malicious).

They are often deployed purely on the internal side of a large (thousands of hosts), corporate network or a University network. If your organisation becomes infected with a worm that actively scans IP addresses looking for new hosts to infect, an internal DarkNet can often be the first trigger that alerts the Network Monitoring Team that there is a problem. Since there is so much traffic flowing around such a large network, running an IDS to analyse all that traffic becomes infeasible. No normal traffic should be sent to the DarkNet range of IP addresses so if any traffic is detected, that should trigger off an investigation of the host that sent the packets.

You can also deploy a DarkNet across external facing, publicly routable address space however, unless you are a large organisation with more address space than they know what to do with it's unlikely you can afford such luxuries. IPv6 address space is more plentiful - so much so that scanning it looking for hosts is infeasible - and so rarely deployed that you are unlikely to find any malware that scans IPv6 addresses.

Since the usefulness of a DarkNet is primarily when you have a network so large that monitoring all the traffic is infeasible, creating one in a small scale, simulated network is mostly only useful as a learning exercise. In your home or a small office network running an IPS to monitor all traffic is feasible however, there's no harm in setting aside a portion of your network address space in any sized environment to act as a DarkNet as it has a low false positive rate.

There is a great deal of information in the Team Cymru link on the goals of a DarkNet, the software used and configuration of that software and the pitfalls you might run in to. CAIDA has a paper available here explaining the concept and showing some analysis of some captured events. The Internet Motion Sensor project appears to no longer be live but there is plenty of information about it on CiteSeer.

There are also a couple of anecdotes about the types of traffic you might see on a public facing DarkNet at https://darknetproject.org/ (On that site, you are redirected to https by default but the certificate expired 18 months ago.)

You explicitly do not need to create a darknet for the use case you describe.

What you want is a honeynet.

You want a network with restricted access? Just build a network at home and don't connect it to the internet.

In fact you don't even need a real network. You can do the whole thing virtually.

  • I need the darknet for a project of my university..I am studying security and i need to build a darknet, i cannot avoid it, that's why i am asking the question.. – Jack Jan 16 '13 at 15:20
  • 1
    @Jack we still haven't pinned down exactly what you mean by `darknet`. The ToR hidden services are often referred to as a 'darknet', because all nodes are mutually-anonymous - is that what you have in mind? – lynks Jan 16 '13 at 16:05
  • 1
    http://www.team-cymru.org/Services/darknets.html this is what i am trying to make, a network where you allocate some IPs so you can know when an attacker is scanning your network.. – Jack Jan 16 '13 at 17:46

What you need is a pentester lab.

Just search over Google and you'll find lot of tutorials.

Basically you have three options:

  • Your PC is the attacker against a virtual machine (or more). I don't recommend this unless you want your system full of tools related.
  • Your PC is simply the host. Then you install minimum two VM's (an attacker and a target). Configure them for be in the same network (you can include or not the host in the network). The best option: install Backtrack for example as attacker.

  • And the last one, three VM's: an attacker, a server and a client connected to the server. This is the most real case, but starting is better the second option.

Darknet is private p2p. The second one is called darkspace.

Consider you have IP block x.x.x.0/24. You intentionally leave 5 IPs unallocated and when a host send a packet to some of them (let say at least 3/5), and send some other IPs in your blocks, then you can say that this host may be scanning my IP block so I should be careful about that host.

If you want to search for the first thing, you are in the wrong place :)

