Darknet Events Report

LAST UPDATED: 2022-06-26

This report records observed traffic to darknet networks.

Darknets (also known as network telescopes) are unused sets of IP addresses, which in theory should observe no traffic. In practice, however, a lot of traffic reaches such networks through activities such as Internet scanning, malware propagation, or backscatter from spoofed DDoS events – meaning that these network packets can often be immediately classified as suspicious or malicious. In this way, darknets serve a similar type of function as honeypot listeners, only simpler. Additional packet fingerprinting measures can be employed to attribute tools or malware sending out such packets.

You can learn more on the report in our Darknet Events Report tutorial.

You can learn more on our reports in general in our Overview of Free Public Benefit Shadowserver Reports presentation, which also explains example Use Cases.

File name: event4_honeypot_darknet

This report type was created as part of the EU Horizon 2020 SISSDEN Project.

Fields

timestamp

Timestamp when the IP was seen in UTC+0
protocol

Packet type of the connection traffic (UDP/TCP)
src_ip

The IP of the device in question
src_port

Source port of the IP connection
src_asn

ASN of the source IP
src_geo

Country of the source IP
src_region

Region of the source IP
src_city

City of the source IP
src_hostname

Reverse DNS of the source IP
src_naics

North American Industry Classification System Code
src_sector

Sector to which the IP in question belongs; e.g. Communications, Commercial
device_vendor

Source device vendor
device_type

Source device type
device_model

Source device model
dst_ip

Destination IP
dst_port

Destination port of the IP connection
dst_asn

ASN of the destination IP
dst_geo

Country of the destination IP
dst_region

Region of the destination IP
dst_city

City of the destination IP
dst_hostname

Reverse DNS of the destination IP
dst_naics

North American Industry Classification System Code
dst_sector

Sector to which the IP in question belongs; e.g. Communications, Commercial
public_source

Source of the event data
infection

Description of the malware/infection
family

Malware family or campaign associated with the event
tag

Event attributes
application

Application name associated with the event
version

Software version associated with the event
event_id

Unique identifier assigned to the source IP or event
count

Packet count if recorded

Sample

"timestamp","protocol","src_ip","src_port","src_asn","src_geo","src_region","src_city","src_hostname","src_naics","src_sector","device_vendor","device_type","device_model","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","count"
"2021-03-07 00:00:00","tcp","61.3.x.x",4717,9829,"IN","KERALA","CHENGANNUR",,518210,,,,,,23,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","211.218.x.x",4405,4766,"KR","GANGWON-DO","PYEONGCHANG-EUP",,517311,,,,,,23,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","45.225.x.x",59777,266915,"BR","BAHIA","VITORIA DA CONQUISTA","static-45-225-x-x.example.net",,,,,,,23,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","125.122.x.x",8460,4134,"CN","ZHEJIANG SHENG","HANGZHOU",,517311,,,,,,23,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","219.77.x.x",21867,4760,"HK","HONG KONG","HONG KONG","n219077092196.example.com",517311,,,,,,5555,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","24.137.x.x",4680,14638,"PR","PUERTO RICO","SAN JUAN","dynamic.libertypr.net",,,,,,,5555,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","119.182.x.x",13175,4837,"CN","SHANDONG SHENG","JINING",,517311,,,,,,23,,,,,,,,,"mirai",,"mirai",,,,
"2021-03-07 00:00:00","tcp","27.198.x.x",56133,4837,"CN","SHANDONG SHENG","JINAN",,517311,,,,,,23,,,,,,,,,"mirai",,"mirai",,,,

Our 130 Report Types

« Back to Network Reporting