A Statistical Packet Inspection for Extraction of Spoofed IP Packets on Darknet

A darknet is a set of unused IP addresses and using it is a good way to monitor network attacks such as malware's scans. Traffic arriving at the darknet, however, contains some network attacks with spoofed IP packets, which may confuse analysis engines of monitored traffic. Therefore, it is important to distinguish the spoofed IP packets from darknet traffic in order to pursue accurate analysis results. In this paper, we propose an inspection method focusing on the Time To Live (TTL) field of each packet in order to statistically extract spoofed IP packets from whole traffic observed by the darknet. Consequently, we will provide an efficient and effective analysis engine against network attacks from the darknet by means of the proposed inspection method for the extraction of spoofed IP packets on darknet. Through a practical evaluation, we have found that at most only 1.26% of spoofed packets exist in the darknet traffic, which supports the accuracy of incident analysis with darknet monitoring.