ABSTRACT
The Dark Web is known as the part of the Internet operated by decentralized and anonymous-preserving protocols like Tor. To date, the research community has focused on understanding the size and characteristics of the Dark Web and the services and goods that are offered in its underground markets. However, little is still known about the attacks landscape in the Dark Web.
For the traditional Web, it is now well understood how websites are exploited, as well as the important role played by Google Dorks and automated attack bots to form some sort of "background attack noise" to which public websites are exposed.
This paper tries to understand if these basic concepts and components have a parallel in the Dark Web. In particular, by deploying a high interaction honeypot in the Tor network for a period of seven months, we conducted a measurement study of the type of attacks and of the attackers behavior that affect this still relatively unknown corner of the Web.
- Acunetix Ltd, Web Vulnerability Scanner. http://www.acunetix.com/vulnerability-scanner/. Accessed: 2016-09-26.Google Scholar
- Ahmia. https://ahmia.rl/. Accessed: 2016-09-26.Google Scholar
- Google Hack Honeypot. http://ghh.sourceforge.net/. Accessed: 2016-09-26.Google Scholar
- High interaction honeypot analysis tool. https://sourceforge.net/projects/hihat/. Accessed: 2016-09-26.Google Scholar
- ModSecurity: Open Source Web Application Firewall. https://www.modsecurity.org/. Accessed: 2016-09-26.Google Scholar
- MushMush Foundation, http://mushmush.org/. Accessed: 2016-09-26.Google Scholar
- Tor Project. Did the FBI Pay a University to Attack Tor Users? https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users.Google Scholar
- B. H. U. 2014. You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.Google Scholar
- D. Brown. Resilient botnet command and control with tor. 2010.Google Scholar
- D. Canali and D. Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In Proceedings of NDSS 2013, pages n-a, 2013.Google Scholar
- O. Catakoglu, M. Balduzzi, and D. Balzarotti. Automatic extraction of indicators of compromise for web applications. In Proceedings of the 25th International Conference on World Wide Web, WWW '16, 2016. Google ScholarDigital Library
- V. Ciancaglini, M. Balduzzi, R. McArdle, and M. Rosier. Below the Surface: Exploring the Deep Web {Technical Report}, http://www.deepweb-sites.com/wp-content/uploads/2015/11/Below-the-Surface-Exploring-the-Deep-Web.pdf.Google Scholar
- T. Fox-Brewster. Tor Hidden Services And Drug Markets Are Under Attack, But Help Is On The Way. http://www.forbes.com/sites/thomasbrewster/2015/04/01/tor-hidden-services-under-dos-attack/.Google Scholar
- J. P. John, F. Yu, Y. Xie, A. Krishnamurthy, and M. Abadi. Heat-seeking honeypots: design and experience. In Proceedings of the 20th international conference on World wide web. ACM, 2011. Google ScholarDigital Library
- A. Kwon, M. AlSabah, D. L M. Dacier, and S. Devadas. Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In 24th USENIX Security Symposium (USENIX Security 15), pages 287--302, 2015. Google ScholarDigital Library
- S. J. Lewis. OnionScan Report June 2016 - Snapshots of the Dark Web. https://mascherari.press/onionscan-report-june-2016/.Google Scholar
- S. Matic, P. Kotzias, and J. Caballero. Caronte: Detecting location leaks for deanonymizing tor hidden services. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15. ACM, 2015. Google ScholarDigital Library
- P. H. O'Neill. Bank thieves are using Tor to hide their malware {News}, http://www.dailydot.com/crime/bank-malware-tor2web/. Accessed: 2016-09-26.Google Scholar
- A. Panchenko, F. Lanze, A. Zinnen, M. Henze, J. Pennekamp, K. Wehrle, and T. Engel. Website fingerprinting at internet scale. In Proceedings of NDSS 2016, 2016. Google ScholarCross Ref
- N. Provos. A virtual honeypot framework. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 1--1, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- A. Sanatinia and G. Noubir. Honions: Towards detection and identification of misbehaving tor hsdirs. https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf.Google Scholar
- O. Starov, J. Dahse, S. S. Ahmad, T. Holz, and N. Nikiforakis. No honor among thieves: A large-scale analysis of malicious web shells. In Proceedings of the 25th International Conference on World Wide Web, WWW '16, 2016. Google ScholarDigital Library
- F. Toffalini, M. Abba, D. Carra, and D. Balzarotti. Google Dorks: Analysis, Creation, and new Defenses. July 2016.Google Scholar
- P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl. Spoiled onions: Exposing malicious tor exit relays. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 2014. Google ScholarCross Ref
- J. Zhang, J. Notani, and G. Gu. Characterizing google hacking: A first large-scale quantitative study. In International Conference on Security and Privacy in Communication Systems. Springer, 2014.Google Scholar
Index Terms
- Attacks landscape in the dark side of the web
Recommendations
Empirical Analysis of Web Attacks
The web applications are becoming more popular and complex in today's era of Internet. These on-line applications provide rich benefits along with risk to organization, brand and data. Malicious attackers continue to exploit vulnerabilities in ...
Client-side cross-site scripting protection
Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Exploring and Identifying Malicious Sites in Dark Web Using Machine Learning
Neural Information ProcessingAbstractIn recent years, various web-based attacks such as Drive-by-Download attacks are becoming serious. To protect legitimate users, it is important to collect information on malicious sites that could provide a blacklist-based detection software. In ...
Comments