research-article

Attacks landscape in the dark side of the web

Authors:
Onur Catakoglu

Eurecom & Monaco Digital

Eurecom & Monaco Digital
View Profile

,
Marco Balduzzi

Trend Micro Research

Trend Micro Research
View Profile

,
Davide Balzarotti

Eurecom

Eurecom
View Profile

SAC '17: Proceedings of the Symposium on Applied ComputingApril 2017Pages 1739–1746https://doi.org/10.1145/3019612.3019796

Published:03 April 2017Publication History

SAC '17: Proceedings of the Symposium on Applied Computing

Pages 1739–1746

ABSTRACT

The Dark Web is known as the part of the Internet operated by decentralized and anonymous-preserving protocols like Tor. To date, the research community has focused on understanding the size and characteristics of the Dark Web and the services and goods that are offered in its underground markets. However, little is still known about the attacks landscape in the Dark Web.

For the traditional Web, it is now well understood how websites are exploited, as well as the important role played by Google Dorks and automated attack bots to form some sort of "background attack noise" to which public websites are exposed.

This paper tries to understand if these basic concepts and components have a parallel in the Dark Web. In particular, by deploying a high interaction honeypot in the Tor network for a period of seven months, we conducted a measurement study of the type of attacks and of the attackers behavior that affect this still relatively unknown corner of the Web.

References

Acunetix Ltd, Web Vulnerability Scanner. http://www.acunetix.com/vulnerability-scanner/. Accessed: 2016-09-26.Google Scholar
Ahmia. https://ahmia.rl/. Accessed: 2016-09-26.Google Scholar
Google Hack Honeypot. http://ghh.sourceforge.net/. Accessed: 2016-09-26.Google Scholar
High interaction honeypot analysis tool. https://sourceforge.net/projects/hihat/. Accessed: 2016-09-26.Google Scholar
ModSecurity: Open Source Web Application Firewall. https://www.modsecurity.org/. Accessed: 2016-09-26.Google Scholar
MushMush Foundation, http://mushmush.org/. Accessed: 2016-09-26.Google Scholar
Tor Project. Did the FBI Pay a University to Attack Tor Users? https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users.Google Scholar
B. H. U. 2014. You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget.Google Scholar
D. Brown. Resilient botnet command and control with tor. 2010.Google Scholar
D. Canali and D. Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In Proceedings of NDSS 2013, pages n-a, 2013.Google Scholar
O. Catakoglu, M. Balduzzi, and D. Balzarotti. Automatic extraction of indicators of compromise for web applications. In Proceedings of the 25th International Conference on World Wide Web, WWW '16, 2016. Google ScholarDigital Library
V. Ciancaglini, M. Balduzzi, R. McArdle, and M. Rosier. Below the Surface: Exploring the Deep Web {Technical Report}, http://www.deepweb-sites.com/wp-content/uploads/2015/11/Below-the-Surface-Exploring-the-Deep-Web.pdf.Google Scholar
T. Fox-Brewster. Tor Hidden Services And Drug Markets Are Under Attack, But Help Is On The Way. http://www.forbes.com/sites/thomasbrewster/2015/04/01/tor-hidden-services-under-dos-attack/.Google Scholar
J. P. John, F. Yu, Y. Xie, A. Krishnamurthy, and M. Abadi. Heat-seeking honeypots: design and experience. In Proceedings of the 20th international conference on World wide web. ACM, 2011. Google ScholarDigital Library
A. Kwon, M. AlSabah, D. L M. Dacier, and S. Devadas. Circuit fingerprinting attacks: Passive deanonymization of tor hidden services. In 24th USENIX Security Symposium (USENIX Security 15), pages 287--302, 2015. Google ScholarDigital Library
S. J. Lewis. OnionScan Report June 2016 - Snapshots of the Dark Web. https://mascherari.press/onionscan-report-june-2016/.Google Scholar
S. Matic, P. Kotzias, and J. Caballero. Caronte: Detecting location leaks for deanonymizing tor hidden services. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS '15. ACM, 2015. Google ScholarDigital Library
P. H. O'Neill. Bank thieves are using Tor to hide their malware {News}, http://www.dailydot.com/crime/bank-malware-tor2web/. Accessed: 2016-09-26.Google Scholar
A. Panchenko, F. Lanze, A. Zinnen, M. Henze, J. Pennekamp, K. Wehrle, and T. Engel. Website fingerprinting at internet scale. In Proceedings of NDSS 2016, 2016. Google ScholarCross Ref
N. Provos. A virtual honeypot framework. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM'04, pages 1--1, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
A. Sanatinia and G. Noubir. Honions: Towards detection and identification of misbehaving tor hsdirs. https://www.securityweek2016.tu-darmstadt.de/fileadmin/user_upload/Group_securityweek2016/pets2016/10_honions-sanatinia.pdf.Google Scholar
O. Starov, J. Dahse, S. S. Ahmad, T. Holz, and N. Nikiforakis. No honor among thieves: A large-scale analysis of malicious web shells. In Proceedings of the 25th International Conference on World Wide Web, WWW '16, 2016. Google ScholarDigital Library
F. Toffalini, M. Abba, D. Carra, and D. Balzarotti. Google Dorks: Analysis, Creation, and new Defenses. July 2016.Google Scholar
P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl. Spoiled onions: Exposing malicious tor exit relays. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 2014. Google ScholarCross Ref
J. Zhang, J. Notani, and G. Gu. Characterizing google hacking: A first large-scale quantitative study. In International Conference on Security and Privacy in Communication Systems. Springer, 2014.Google Scholar

Index Terms

Attacks landscape in the dark side of the web
1. Security and privacy
  1. Software and application security
    1. Domain-specific security and privacy architectures
    2. Web application security

Recommendations

Empirical Analysis of Web Attacks

The web applications are becoming more popular and complex in today's era of Internet. These on-line applications provide rich benefits along with risk to organization, brand and data. Malicious attackers continue to exploit vulnerabilities in ...
Read More
Client-side cross-site scripting protection

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Read More
Exploring and Identifying Malicious Sites in Dark Web Using Machine Learning
Neural Information Processing
Abstract
In recent years, various web-based attacks such as Drive-by-Download attacks are becoming serious. To protect legitimate users, it is important to collect information on malicious sites that could provide a blacklist-based detection software. In ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
SAC '17: Proceedings of the Symposium on Applied Computing
April 2017
2004 pages
ISBN:9781450344869
DOI:10.1145/3019612
Conference Chair:
Sung Y. Shin
South Dakota State University
,
Program Chairs:
Dongwan Shin
New Mexico Tech
,
Maria Lencastre
University of Pernambuco, Brazil
Copyright © 2017 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 April 2017
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
- Best Paper
Author Tags
dark web
honeypot
web security
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate1,650of6,669submissions,25%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 17
  Total Citations
  View Citations
- 790
  Total Downloads
- Downloads (Last 12 months)49
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Attacks landscape in the dark side of the web

SAC '17: Proceedings of the Symposium on Applied Computing

ABSTRACT

References

Cited By

Index Terms

Recommendations

Empirical Analysis of Web Attacks

Client-side cross-site scripting protection

Exploring and Identifying Malicious Sites in Dark Web Using Machine Learning