Darknets are IP addresses that function as passive probes, recording all received packets without hosting services. The traffic they capture, being unsolicited, makes darknets akin to “network telescopes”. Traces collected on darknets aggregate multiple events useful for cybersecurity, like network scans and exploit attempts. Yet, the mix of heterogeneous events observed from darknets poses significant challenges to those who must understand darknet traffic. Here we face the question of whether new darknet deployments provide novel and useful information when compared to public blocklists. Multiple Cyber Threat Intelligence (CTI) sources publish lists of IP addresses that perform malicious activities, from simple automated scans to SPAM and phishing campaigns. They represent a valuable resource for network administrators, helping to block cyberattacks. Built with a combination of multiple sensors — including darknets and honeypots — these lists could explain the traffic seen on other darknets, thus simplifying the search for relevant events in independent darknet deployments. We thus investigate to what extent open blocklists explain darknet traffic. By crawling hundreds of CTI sources providing blocklists, we first notice how these lists are often incomplete or slowly updated. Traffic seen in our darknet deployment is hardly explained by the blocklists, even when considering only the most prominent scan attempts, and ignoring events such as backscattering. Our preliminary results suggest that blocklists can be of great use for seeding the explanation of darknet traffic, by giving context for the activity of a few IP addresses. Yet, more addresses with similar behaviour are observed in the darknet and could be used to enrich and complement the blocklists.
