DOCSLIB.ORG

Attacks Landscape in the Dark Side of the Web

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Attacks Landscape in the Dark Side of the Web Onur Catakoglu Marco Balduzzi Davide Balzarotti Eurecom & Monaco Digital Trend Micro Research Eurecom Security Agency marco [email protected] [email protected] [email protected] ABSTRACT Area Impact Better in The Dark Web is known as the part of the Internet oper- Attack Identification Results Surface Web ated by decentralized and anonymous-preserving protocols Service Advertisement Operation Surface Web like Tor. To date, the research community has focused on Stealthiness Deployment Dark Web understanding the size and characteristics of the Dark Web Operational Costs Deployment Dark Web and the services and goods that are offered in its under- Collected Data Operation Surface Web ground markets. However, little is still known about the attacks landscape in the Dark Web. Table 1: Advantages and Disadvantages of Operat- For the traditional Web, it is now well understood how ing a High-Interaction honeypot in the Dark Web websites are exploited, as well as the important role played by Google Dorks and automated attack bots to form some sort of \background attack noise" to which public websites in marketplaces, money laundering, and assassination [12]. are exposed. Moreover, Tor has been reported to be leveraged in host- This paper tries to understand if these basic concepts and ing malware [18], and operating resilient botnets [9]. While, components have a parallel in the Dark Web. In particular, to a certain extent, these studies have shown how the Dark by deploying a high interaction honeypot in the Tor network Web is used to conduct such activities, it is still unclear if for a period of seven months, we conducted a measurement and how miscreants are explicitly conducting attacks against study of the type of attacks and of the attackers behavior hidden services, like a web application running within the that affect this still relatively unknown corner of the Web. Tor network. While web attacks, or attacks against exposed services on the Internet are common knowledge and have been largely studied by the research community [10, 11, 22], 1. INTRODUCTION no previous work has been conducted to investigate the vol- Based on the accessibility of its pages, the Web can be ume and nature of attacks in the Dark Web. divided in three parts: the Surface Web { which covers ev- To this extend, in this work we discuss the deployment of erything that can be located through a search engine; the a high-interaction honeypot within the Dark Web to collect Deep Web { which contains the pages that are not reached evidence of attacks against its services. In particular, we by search engine crawlers (for example because they require focus our study on web applications to try to identify how a registration); and the more recent Dark Web { which is attackers exploit them (without a search engine for localiza- dedicated to websites that are operated over a different in- tion) and what their purpose is after a service has been com- frastructure to guarantee their anonymity, and that often promised. Our preliminary measurement casts some light on require specific software to be accessed. the attackers' behavior and shows some interesting phenom- The most famous\neighborhood"of the Dark Web is oper- ena, including the fact that the vast majority of incoming ated over the Tor network, whose protocols guarantee anony- attacks are unintentional (in the sense that they were not mity and privacy of both peers in a communication, making targeted against Dark Web services) scattered attacks per- users and operators of (hidden) services in the Dark Web formed by automated scripts that reach the application from more resilient to identification and monitoring. the Surface Web through Tor2web proxies. As such, over the last years, miscreants and dealers in gen- eral have started to adopt the Dark Web as a valid platform to conduct their activities, including trading of illegal goods 2. HONEYPOT IN THE DARK WEB In this section, we discuss the main differences, in terms of Permission to make digital or hard copies of all or part of this work for personal or advantages and disadvantages, between deploying and main- classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation taining a honeypot in the Surface Web versus operating a on the first page. Copyrights for components of this work owned by others than the similar infrastructure in the Tor network. author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or In fact, the anonymity provided by Tor introduces a num- republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. ber of important differences. Some are positives, and make SAC 2017, April 03 - 07, 2017, Marrakech, Morocco the infrastructure easier to maintain for researchers. Some are instead negative, and introduce new challenges in the c 2017 Copyright held by the owner/author(s). Publication rights licensed to ACM. ISBN 978-1-4503-4486-9/17/04. $15.00 honeypot setup and in the analysis of the collected data. DOI: http://dx.doi.org/10.1145/3019612.3019796 Table1 summarizes the five main differences between the two environments, mentioning their impact (on the deploy- tract attackers by simply placing some keywords or specific ment, operation, or on the results collected by the honeypot) files as John et al. described in their work [14]. For exam- and which environment (Dark or Surface Web) provides bet- ple, including a known web shell or disclosing the vulnerable ter advantages in each category. version of an installed application along with its name is a widely used strategy to lure attackers. Attack identification These popular\advertisement"approaches are not straight- The most significant difference between a deployment on forward to apply to services hosted on the Tor network. As the surface Web and on the Tor network is the anonymity we later discuss in Section4, it is still possible for .onion of the incoming requests. In a traditional honeypot, indi- web sites to be indexed by Google. However, in order to gain vidual requests are typically grouped together in attack ses- popularity and attract attackers, researchers should care- sions [10] to provide an enriched view on the number and fully employ alternative techniques { such as advertising the nature of each attack. A single session can span several website in forums, channels, or link directories specific to the minutes and include hundreds of different requests (e.g., to Dark Web. probe the application, exploit a vulnerability, and install post-exploitation scripts). Operational costs Since many malicious tools do not honor server-side cook- Since, as explained above, operating a honeypot in the Dark ies, this clustering phase is often performed by combining Web does not require any special domain registration or ded- two pieces of information: the timestamp of each request, icated hosting provider, the total cost of the operation is and its source IP address. Thus, requests coming in the typically very low. Canali et al [10] had to register hun- same empirically-defined time window and from the same dreds of domain names (and routinely change them to avoid host are normally grouped in a single session. blacklisting) as well as several dedicated hosting providers { Unfortunately, the source of each connection is hidden in which are often difficult to handle because they often block the Tor network, and therefore the identification of individ- the accounts if they receive complains about possibly mali- ual attacks becomes much harder in the Dark Web. More- cious traffic. over, if the attacker uses the Tor browser, also the HTTP In comparison, an equivalent infrastructure on the Dark headers would be identical between different attackers. Web only requires the physical machines where the honey- pot is installed, as creating new domains is free and can be Stealthiness performed arbitrarily by the honeypot administrator. If on the one hand the anonymity provided by the Tor net- work complicates the analysis of the attacks, on the other it Nature of the collected data also simplifies the setup of the honeypot infrastructure. In Some criminals use the Tor network to host illicit content fact, a core aspect of any honeypot is its ability to remain like child pornography, since it protects both the visitors and hidden as the quality of the collected data decreases if at- the host by concealing their identities. Therefore, as we ex- tackers can easily identify that the target machine is likely plain in Section3, we had to take some special precautions a trap. to prevent attackers from using our honeypot to store and For instance, the nature of the Surface Web reveals in- distribute this material. Unless researchers work in collabo- formation like the Whois and SOA records associated with a ration with law enforcement, these measures are required to domain name, or the geo-location of the IP address the hon- safely operate a honeypot in the Dark Web. eypot resolves to. To mitigate this risk, Canali et al. [10] employed a distributed architecture including hundreds of transparent proxy-servers that redirected the incoming traf- 3. HONEYPOT SETUP AND DEPLOYMENT fic via VPN to the honeypots hosted on the researchers' lab. This solution successfully solve the problem of hiding the In this section we describe the setup of our honeypot. real location of the web applications, but it is difficult to Our deployment is composed of three types of web-based maintain and requires the proxies to be located on many honeypots and a system-based honeypot.
Recommended publications
  • UC Santa Barbara UC Santa Barbara Electronic Theses and Dissertations

    UC Santa Barbara UC Santa Barbara Electronic Theses and Dissertations

    UC Santa Barbara UC Santa Barbara Electronic Theses and Dissertations Title A Web of Extended Metaphors in the Guerilla Open Access Manifesto of Aaron Swartz Permalink https://escholarship.org/uc/item/6w76f8x7 Author Swift, Kathy Publication Date 2017 Peer reviewed|Thesis/dissertation eScholarship.org Powered by the California Digital Library University of California UNIVERSITY OF CALIFORNIA Santa Barbara A Web of Extended Metaphors in the Guerilla Open Access Manifesto of Aaron Swartz A dissertation submitted in partial satisfaction of the requirements for the degree Doctor of Philosophy in Education by Kathleen Anne Swift Committee in charge: Professor Richard Duran, Chair Professor Diana Arya Professor William Robinson September 2017 The dissertation of Kathleen Anne Swift is approved. ................................................................................................................................ Diana Arya ................................................................................................................................ William Robinson ................................................................................................................................ Richard Duran, Committee Chair June 2017 A Web of Extended Metaphors in the Guerilla Open Access Manifesto of Aaron Swartz Copyright © 2017 by Kathleen Anne Swift iii ACKNOWLEDGEMENTS I would like to thank the members of my committee for their advice and patience as I worked on gathering and analyzing the copious amounts of research necessary to
  • The Internet and Drug Markets

    The Internet and Drug Markets

    INSIGHTS EN ISSN THE INTERNET AND DRUG MARKETS 2314-9264 The internet and drug markets 21 The internet and drug markets EMCDDA project group Jane Mounteney, Alessandra Bo and Alberto Oteo 21 Legal notice This publication of the European Monitoring Centre for Drugs and Drug Addiction (EMCDDA) is protected by copyright. The EMCDDA accepts no responsibility or liability for any consequences arising from the use of the data contained in this document. The contents of this publication do not necessarily reflect the official opinions of the EMCDDA’s partners, any EU Member State or any agency or institution of the European Union. Europe Direct is a service to help you find answers to your questions about the European Union Freephone number (*): 00 800 6 7 8 9 10 11 (*) The information given is free, as are most calls (though some operators, phone boxes or hotels may charge you). More information on the European Union is available on the internet (http://europa.eu). Luxembourg: Publications Office of the European Union, 2016 ISBN: 978-92-9168-841-8 doi:10.2810/324608 © European Monitoring Centre for Drugs and Drug Addiction, 2016 Reproduction is authorised provided the source is acknowledged. This publication should be referenced as: European Monitoring Centre for Drugs and Drug Addiction (2016), The internet and drug markets, EMCDDA Insights 21, Publications Office of the European Union, Luxembourg. References to chapters in this publication should include, where relevant, references to the authors of each chapter, together with a reference to the wider publication. For example: Mounteney, J., Oteo, A. and Griffiths, P.
  • Fraud and the Darknets

    Fraud and the Darknets

    OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division Fraud And The Darknets Thomas Harper Assistant Special Agent in Charge Technology Crimes Division OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division What is an OIG? • Established by Congress • Independent agency that reports to Congress • Agency head appointed by the President and confirmed by Congress • Mission: protect the taxpayer’s interests by ensuring the integrity and efficiency of the associated agency OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division Technology Crimes Division • Investigate criminal cyber threats against the Department’s IT infrastructure, or • Criminal activity in cyber space that threatens the Department’s administration of Federal education assistance funds • Investigative jurisdiction encompasses any IT system used in the administration of Federal money originating from the Department of Education. OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division Work Examples • Grade hacking • Computer Intrusions • Criminal Forums online selling malware • ID/Credential theft to hijack Student Aid applications • Misuse of Department systems to obtain personal information • Falsifying student aid applications by U.S. government employees • Child Exploitation material trafficking OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division Fraud and the Darknets Special Thanks to Financial Crimes Enforcement Network (FINCEN) OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division Fraud and the Darknets OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division OFFICE OF THE INSPECTOR GENERAL U.S. Department of Education Technology Crimes Division OFFICE OF THE INSPECTOR GENERAL U.S.
  • An Evolving Threat the Deep Web

    An Evolving Threat the Deep Web

    8 An Evolving Threat The Deep Web Learning Objectives distribute 1. Explain the differences between the deep web and darknets.or 2. Understand how the darknets are accessed. 3. Discuss the hidden wiki and how it is useful to criminals. 4. Understand the anonymity offered by the deep web. 5. Discuss the legal issues associated withpost, use of the deep web and the darknets. The action aimed to stop the sale, distribution and promotion of illegal and harmful items, including weapons and drugs, which were being sold on online ‘dark’ marketplaces. Operation Onymous, coordinated by Europol’s Europeancopy, Cybercrime Centre (EC3), the FBI, the U.S. Immigration and Customs Enforcement (ICE), Homeland Security Investigations (HSI) and Eurojust, resulted in 17 arrests of vendors andnot administrators running these online marketplaces and more than 410 hidden services being taken down. In addition, bitcoins worth approximately USD 1 million, EUR 180,000 Do in cash, drugs, gold and silver were seized. —Europol, 20141 143 Copyright ©2018 by SAGE Publications, Inc. This work may not be reproduced or distributed in any form or by any means without express written permission of the publisher. 144 Cyberspace, Cybersecurity, and Cybercrime THINK ABOUT IT 8.1 Surface Web and Deep Web Google, Facebook, and any website you can What Would You Do? find via traditional search engines (Internet Explorer, Chrome, Firefox, etc.) are all located 1. The deep web offers users an anonym- on the surface web. It is likely that when you ity that the surface web cannot provide. use the Internet for research and/or social What would you do if you knew that purposes you are using the surface web.
  • Applications Log Viewer

    Applications Log Viewer

    4/1/2017 Sophos Applications Log Viewer MONITOR & ANALYZE Control Center Application List Application Filter Traffic Shaping Default Current Activities Reports Diagnostics Name * Mike App Filter PROTECT Description Based on Block filter avoidance apps Firewall Intrusion Prevention Web Enable Micro App Discovery Applications Wireless Email Web Server Advanced Threat CONFIGURE Application Application Filter Criteria Schedule Action VPN Network Category = Infrastructure, Netw... Routing Risk = 1-Very Low, 2- FTPS-Data, FTP-DataTransfer, FTP-Control, FTP Delete Request, FTP Upload Request, FTP Base, Low, 4... All the Allow Authentication FTPS, FTP Download Request Characteristics = Prone Time to misuse, Tra... System Services Technology = Client Server, Netwo... SYSTEM Profiles Category = File Transfer, Hosts and Services Confe... Risk = 3-Medium Administration All the TeamViewer Conferencing, TeamViewer FileTransfer Characteristics = Time Allow Excessive Bandwidth,... Backup & Firmware Technology = Client Server Certificates Save Cancel https://192.168.110.3:4444/webconsole/webpages/index.jsp#71826 1/4 4/1/2017 Sophos Application Application Filter Criteria Schedule Action Applications Log Viewer Facebook Applications, Docstoc Website, Facebook Plugin, MySpace Website, MySpace.cn Website, Twitter Website, Facebook Website, Bebo Website, Classmates Website, LinkedIN Compose Webmail, Digg Web Login, Flickr Website, Flickr Web Upload, Friendfeed Web Login, MONITOR & ANALYZE Hootsuite Web Login, Friendster Web Login, Hi5 Website, Facebook Video
  • Social Media Investigations Within the Dark Web About the Presenters

    Social Media Investigations Within the Dark Web About the Presenters

    Social Media Investigations Within the Dark Web About the presenters Joe Church Founder & Owner Digital Shield, Incorporated Ashley Luna Product Manager X1 John Patzakis Executive Chairman X1 Agenda • X1 Overview • Digital Shield Overview • Introduction to the Dark Web • Accessing the Dark Web • Dark Web Collection Demo • Interactive Q&A X1 Social Discovery • Designed for investigative professionals to collect social posts, website content, webmail, and YouTube videos and other social media types all from within a single user interface. • Supports the simultaneous collection of content and metadata • Legally defensible collections that preserve chain of custody. • Build on X1’s patented & proven fast-as-you-type search technology Presenter Background • Joe Church – Digital Shield, Inc. • Prior LE/Federal LE • Private Business • Litigation Support • State/Federal/International Testimony • Case Work • Leading Technology • Course Development • Major Vendors Internet Layers Surface Web • Also called: ▫ World Wide Web ▫ Clearnet ▫ Visible Web • Topmost level of the web, searchable by surface crawlers ▫ Examples: Bing, Google, Yahoo Deep Web • Also called: ▫ Deepnet ▫ Invisible Web ▫ Hidden Web • Second level of the web • Cannot be reached by traditional search engines Dark Web • Also called: ▫ Darknet • Small portion of the Internet that is intentionally hidden ▫ Restricted, encrypted, and not fully indexed ▫ Often associated with criminal activity ▫ Originally developed by US military researches Dark Web • Creates an Overlay Network, a new
  • How to Use Encryption and Privacy Tools to Evade Corporate Espionage

    How to Use Encryption and Privacy Tools to Evade Corporate Espionage

    How to use Encryption and Privacy Tools to Evade Corporate Espionage An ICIT White Paper Institute for Critical Infrastructure Technology August 2015 NOTICE: The recommendations contained in this white paper are not intended as standards for federal agencies or the legislative community, nor as replacements for enterprise-wide security strategies, frameworks and technologies. This white paper is written primarily for individuals (i.e. lawyers, CEOs, investment bankers, etc.) who are high risk targets of corporate espionage attacks. The information contained within this briefing is to be used for legal purposes only. ICIT does not condone the application of these strategies for illegal activity. Before using any of these strategies the reader is advised to consult an encryption professional. ICIT shall not be liable for the outcomes of any of the applications used by the reader that are mentioned in this brief. This document is for information purposes only. It is imperative that the reader hires skilled professionals for their cybersecurity needs. The Institute is available to provide encryption and privacy training to protect your organization’s sensitive data. To learn more about this offering, contact information can be found on page 41 of this brief. Not long ago it was speculated that the leading world economic and political powers were engaged in a cyber arms race; that the world is witnessing a cyber resource buildup of Cold War proportions. The implied threat in that assessment is close, but it misses the mark by at least half. The threat is much greater than you can imagine. We have passed the escalation phase and have engaged directly into full confrontation in the cyberwar.
  • A Framework for Identifying Host-Based Artifacts in Dark Web Investigations

    A Framework for Identifying Host-Based Artifacts in Dark Web Investigations

    Dakota State University Beadle Scholar Masters Theses & Doctoral Dissertations Fall 11-2020 A Framework for Identifying Host-based Artifacts in Dark Web Investigations Arica Kulm Dakota State University Follow this and additional works at: https://scholar.dsu.edu/theses Part of the Databases and Information Systems Commons, Information Security Commons, and the Systems Architecture Commons Recommended Citation Kulm, Arica, "A Framework for Identifying Host-based Artifacts in Dark Web Investigations" (2020). Masters Theses & Doctoral Dissertations. 357. https://scholar.dsu.edu/theses/357 This Dissertation is brought to you for free and open access by Beadle Scholar. It has been accepted for inclusion in Masters Theses & Doctoral Dissertations by an authorized administrator of Beadle Scholar. For more information, please contact [email protected]. A FRAMEWORK FOR IDENTIFYING HOST-BASED ARTIFACTS IN DARK WEB INVESTIGATIONS A dissertation submitted to Dakota State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Cyber Defense November 2020 By Arica Kulm Dissertation Committee: Dr. Ashley Podhradsky Dr. Kevin Streff Dr. Omar El-Gayar Cynthia Hetherington Trevor Jones ii DISSERTATION APPROVAL FORM This dissertation is approved as a credible and independent investigation by a candidate for the Doctor of Philosophy in Cyber Defense degree and is acceptable for meeting the dissertation requirements for this degree. Acceptance of this dissertation does not imply that the conclusions reached by the candidate are necessarily the conclusions of the major department or university. Student Name: Arica Kulm Dissertation Title: A Framework for Identifying Host-based Artifacts in Dark Web Investigations Dissertation Chair: Date: 11/12/20 Committee member: Date: 11/12/2020 Committee member: Date: Committee member: Date: Committee member: Date: iii ACKNOWLEDGMENT First, I would like to thank Dr.
  • Introduction Points

    Introduction Points

    Introduction Points Ahmia.fi - Clearnet search engine for Tor Hidden Services (allows you to add new sites to its database) TORLINKS Directory for .onion sites, moderated. Core.onion - Simple onion bootstrapping Deepsearch - Another search engine. DuckDuckGo - A Hidden Service that searches the clearnet. TORCH - Tor Search Engine. Claims to index around 1.1 Million pages. Welcome, We've been expecting you! - Links to basic encryption guides. Onion Mail - SMTP/IMAP/POP3. ***@onionmail.in address. URSSMail - Anonymous and, most important, SECURE! Located in 3 different servers from across the globe. Hidden Wiki Mirror - Good mirror of the Hidden Wiki, in the case of downtime. Where's pedophilia? I WANT IT! Keep calm and see this. Enter at your own risk. Site with gore content is well below. Discover it! Financial Services Currencies, banks, money markets, clearing houses, exchangers. The Green Machine Forum type marketplace for CCs, Paypals, etc.... Some very good vendors here!!!! Paypal-Coins - Buy a paypal account and receive the balance in your bitcoin wallet. Acrimonious2 - Oldest escrowprovider in onionland. BitBond - 5% return per week on Bitcoin Bonds. OnionBC Anonymous Bitcoin eWallet, mixing service and Escrow system. Nice site with many features. The PaypalDome Live Paypal accounts with good balances - buy some, and fix your financial situation for awhile. EasyCoin - Bitcoin Wallet with free Bitcoin Mixer. WeBuyBitcoins - Sell your Bitcoins for Cash (USD), ACH, WU/MG, LR, PayPal and more. Cheap Euros - 20€ Counterfeit bills. Unbeatable prices!! OnionWallet - Anonymous Bitcoin Wallet and Bitcoin Laundry. BestPal BestPal is your Best Pal, if you need money fast. Sells stolen PP accounts.
  • An Investigative Study of Cryptocurrency Abuses in the Dark Web

    An Investigative Study of Cryptocurrency Abuses in the Dark Web

    Cybercriminal Minds: An investigative study of cryptocurrency abuses in the Dark Web Seunghyeon Leeyz Changhoon Yoonz Heedo Kangy Yeonkeun Kimy Yongdae Kimy Dongsu Hany Sooel Sony Seungwon Shinyz yKAIST zS2W LAB Inc. {seunghyeon, kangheedo, yeonk, yongdaek, dhan.ee, sl.son, claude}@kaist.ac.kr {cy}@s2wlab.com Abstract—The Dark Web is notorious for being a major known as one of the major drug trading sites [13], [22], and distribution channel of harmful content as well as unlawful goods. WannaCry malware, one of the most notorious ransomware, Perpetrators have also used cryptocurrencies to conduct illicit has actively used the Dark Web to operate C&C servers [50]. financial transactions while hiding their identities. The limited Cryptocurrency also presents a similar situation. Apart from coverage and outdated data of the Dark Web in previous studies a centralized server, cryptocurrencies (e.g., Bitcoin [58] and motivated us to conduct an in-depth investigative study to under- Ethereum [72]) enable people to conduct peer-to-peer trades stand how perpetrators abuse cryptocurrencies in the Dark Web. We designed and implemented MFScope, a new framework which without central authorities, and thus it is hard to identify collects Dark Web data, extracts cryptocurrency information, and trading peers. analyzes their usage characteristics on the Dark Web. Specifically, Similar to the case of the Dark Web, cryptocurrencies MFScope collected more than 27 million dark webpages and also provide benefits to our society in that they can redesign extracted around 10 million unique cryptocurrency addresses for Bitcoin, Ethereum, and Monero. It then classified their usages to financial trading mechanisms and thus motivate new business identify trades of illicit goods and traced cryptocurrency money models, but are also adopted in financial crimes (e.g., money flows, to reveal black money operations on the Dark Web.
  • Torward: DISCOVERY, BLOCKING, and TRACEBACK of MALICIOUS TRAFFIC OVER Tor 2517

    Torward: DISCOVERY, BLOCKING, and TRACEBACK of MALICIOUS TRAFFIC OVER Tor 2517

    IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 10, NO. 12, DECEMBER 2015 2515 TorWard: Discovery, Blocking, and Traceback of Malicious Traffic Over Tor Zhen Ling, Junzhou Luo, Member, IEEE,KuiWu,Senior Member, IEEE, Wei Yu, and Xinwen Fu Abstract— Tor is a popular low-latency anonymous communi- I. INTRODUCTION cation system. It is, however, currently abused in various ways. OR IS a popular overlay network that provides Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we designed Tanonymous communication over the Internet for and implemented a novel system, TorWard, for the discovery and TCP applications and helps fight against various Internet the systematic study of malicious traffic over Tor. The system censorship [1]. It serves hundreds of thousands of users and can avoid legal and administrative complaints, and allows the carries terabyte of traffic daily. Unfortunately, Tor has been investigation to be performed in a sensitive environment such abused in various ways. Copyrighted materials are shared as a university campus. An intrusion detection system (IDS) is used to discover and classify malicious traffic. We performed through Tor. The black markets (e.g., Silk Road [2], an comprehensive analysis and extensive real-world experiments to online market selling goods such as pornography, narcotics validate the feasibility and the effectiveness of TorWard. Our or weapons1) can be deployed through Tor hidden service. results show that around 10% Tor traffic can trigger IDS alerts. Attackers also run botnet Command and Control (C&C) Malicious traffic includes P2P traffic, malware traffic (e.g., botnet servers and send spam over Tor.
  • Monitoring the Dark Web and Securing Onion Services

    Monitoring the Dark Web and Securing Onion Services

    City University of New York (CUNY) CUNY Academic Works Publications and Research Queensborough Community College 2017 Monitoring the Dark Web and Securing Onion Services John Schriner CUNY Queensborough Community College How does access to this work benefit ou?y Let us know! More information about this work at: https://academicworks.cuny.edu/qb_pubs/41 Discover additional works at: https://academicworks.cuny.edu This work is made publicly available by the City University of New York (CUNY). Contact: [email protected] Monitoring the Dark Web Schriner 1 John Schriner Monitoring the Dark Web Contrary to what one may expect to read with a title like Monitoring the Dark Web, this paper will focus less on how law enforcement works to monitor hidden web sites and services and focus more on how academics and researchers monitor this realm. The paper is divided into three parts: Part One discusses Tor research and how onion services work; Part Two discusses tools that researchers use to monitor the dark web; Part Three tackles the technological, ethical, and social interests at play in securing the dark web. Part One: Tor is Research-Driven Tor (an acronym for 'the onion router' now stylized simply 'Tor') is an anonymity network in which a user of the Tor Browser connects to a website via three hops: a guard node, a middle relay, and an exit node. The connection is encrypted with three layers, stripping a layer at each hop towards its destination server. No single node has the full picture of the connection along the circuit: the guard knows only your IP but not where the destination is; the middle node knows the guard and the exit node; the exit node knows only the middle node and the final destination.