Detection and Analysis of Tor Onion Services
DOI:
https://doi.org/10.13052/jcsm2245-1439.915Keywords:
Tor, Darknet, onion services, analysisAbstract
Tor onion services can be accessed and hosted anonymously on the Tor network.
We analyze the protocols, software types, popularity and uptime of
these services by collecting a large amount of .onion addresses. Websites are
crawled and clustered based on their respective language. In order to also
determine the amount of unique websites a de-duplication approach is implemented.
To achieve this, we introduce a modular system for the real-time
detection and analysis of onion services. The overall data reveals
that a large amount of permanent services provide no actual content for Tor
users. A significant part consists instead of bots, services offered via multiple
domains, or duplicated websites for phishing attacks. The total amount of
onion services is thus significantly smaller than current statistics suggest
Downloads
References
The Pirate Bay. The pirate bay – about. https://thepiratebay.org/about,
[Online; As seen on 04 February 2019].
A. Biryukov and Weinmann R. Pustogarov, I. Trawling for tor hidden
services: Detection, measurement, deanonymization. 2013 IEEE
Symposium on Security and Privacy, 2013.
A. Biryukov, R. Weinmann, I. Pustogarov and F. Thill. Content and
popularity analysis of tor hidden services. 2013.
J. Buxton and T. Bingham. The rise and challenge of dark net drug
markets. 2015.
“Legislative Counsel California”. California consumer privacy act.
https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201
AB375, 2018. Assembly Bill No. 375.
U. K. National Cyber Security Centre. Advisory: Trickbot banking
trojan. https://www.ncsc.gov.uk/alerts/trickbot-banking-trojan, 2018.
[Online; As seen on 03 February 2019].
N. Desai. Summer reruns: Threat actors are sticking with malware that
works. https://cofense.com/summer-reruns-threat-actors-sticking-mal
ware-works/, 2018. [Online; As seen on 03 February 2019].
DuckDuckGo.com. Duckduckgo traffic. https://duckduckgo.com/traffic,
[Online; As seen on 01 February 2019].
C. Guarnieri and M. Schloesser. Skynet, a tor-powered botnet straight
from reddit. https://blog.rapid7.com/2012/12/06/skynet-a-tor-poweredbotnet-
straight-from-reddit/, 2012. [Online; As seen on 10 November
.
K. Hayashi. Backdoor.aimvision. https://www.symantec.com/securit
y-center/writeup/2002-061316-4604-99, 2002. [Online; As seen on
February 2019].
D. Knowles. Backdoor.ultor. https://www.symantec.com/security-center
/writeup/2002-101713-3321-99, 2002. [Online; As seen on 01 February
.
B. Lesser, G. Guilizzoni, J. Lott, J. Reinhardt and R. Watkins. Programming
Flash Communication Server. O’Reilly Media; First Edition, P. xii,
A. J. Martin. Iranian web crackdown drives surge in privacy
technology. https://news.sky.com/story/ iranian-web-crackdown-drivessurge-
in-privacy-technology-11191740, 2019. [Online; As seen on
February 2019].
D. Moore and T. Rid. Cryptopolitik and the darknet. Global Politics and
Strategy Volume 58, 2016 – Issue 1, 2016.
Nmap.org. Nmap manual – chapter 14. understanding and customizing
nmap data files. https://nmap.org/book/nmap-services.html, 2019.
[Online; As seen on 03 January 2019].
Nmap.org. Nmap manual – chapter 15. nmap reference guide. https:
//nmap.org/book/man-version-detection.html, 2019. [Online; As seen
on 03 January 2019].
“Office Journal of the European Union”. Regulation (eu) 2016/679 of
the european parliament and of the council of 27 april 2016. https://eurlex.
europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679,
G. Owen and N. Savage. Empirical analysis of tor hidden services. IET
Information Security (Volume: 10, Issue: 3 , 5 2016), 2015.
pcmag.com. Police shut down the wall street market, a top dark web site.
https://www.pcmag.com/news/368151/police-shut-down-the-wall-st
reet-market-a-top-dark-web-site, 2019. [Online; As seen on 03 May
.
Securedrop.org. Secure drop – share documents securely with these
organizations. https://securedrop.org/, 2019. [Online; As seen on
February 2019].
Speedguide.net. Port 1111 details. https://www.speedguide.net/port.
php?port=1111, 2019. [Online; As seen on 01 February 2019].
ProtACT Team and InTELL Team. Large botnet cause of recent tor
network overload. https://blog.fox-it.com/2013/09/05/large-botnetcause-
of-recent-tor-network-overload/, 2013. [Online; As seen on
November 2018].
Torproject.org. Metrics torproject.org. https://metrics.torproject.org/,
[Online; As seen on 16 November 2018].
Torproject.org. Tor 0.3.2.9 is released: We have a new stable series!
https://blog.torproject.org/tor-0329-released-we-have-new-stable
-series, 2018.
Torproject.org. Tor rendezvous protocol, version 2. https://github.com/
torproject/torspec/blob/master/rend-spec-v2.txt, 2018. [Online; As seen
on 09 November 2018].
Torproject.org. Tor rendezvous protocol, version 3. https://github.com/
torproject/torspec/blob/master/rend-spec-v3.txt, 2018. [Online; As seen
on 09 November 2018].
Torproject.org. Configuring onion services for tor. https://www.torpro
ject.org/docs/tor-onion-service.html.en, 2019. [Online; As seen on
January 2019].
Torproject.org. Tor dev manual. https://www.torproject.org/docs/tor-ma
nual-dev.html.en, 2019. [Online; As seen on 03 January 2019].
Torproject.org. User metrics. https://metrics.torproject.org/userstats-rel
ay-country.html, 2019. [Online; As seen on 01 February 2019].
Wikipedia. Support-vector machine. https://en.wikipedia.org/wiki/Supp
ort-vector_machine. [Online; As seen on 28 November 2019].
W. Zamora. Trickbot takes over as top business threat. https://blog.mal
warebytes.com/101/2018/11/trickbot-takes-top-business-threat/, 2018.
[Online; As seen on 03 February 2019].
zona.media. Roskomnadzor blocked the website “rospravosudie” on
complaint about the publication of personal data. https://zona.media/
news/2018/07/18/rospravosudie, 2018. [Online; As seen on 05 February
.
