Advertisment

The dark web represents parts of the internet that only exist on darknets and overlay networks. Special software, such as the Tor browser, and network configurations are required to access various parts of the dark web. Darknets are forms of peer-to-peer (P2P) networks that are operated by individuals as well as public organizations. Tor, I2P and Freenet are the most prominent examples of darknets that exist today. Since the emergence of the dark web, the research community has been only focusing on analyzing the size and features of the dark web, along with the goods and services offered on its various marketplaces. Nevertheless, very little is known about the nature and forms of attacks that take place on the dark web.

When websites of the surface web are considered, today professionals understand exactly how website vulnerabilities are exploited, in addition to the pivotal role played by botnets and Google Dorks to create a form of “background attack noise” to heighten the efficacy of attacks launched on websites on the surface web.

A recently published paper attempted to examine if the basic concepts and elements of cyberattacks on the surface web apply to the dark web. Particularly, via implementation of a high interaction honeypot onto Tor’s network for seven months, the researchers underwent an analysis of the types of attack and the behavioral patterns of attackers that affect the dark web.

First, we have to understand what a honeypot is.

What is a honeypot?

A honeypot is a special form of computer system that is constructed to act as a form of decoy to ambush hackers, and to monitor, mitigate or analyze attempts of cyber attackers to gain unauthorized access to websites, datacenters….etc. Generally speaking, it is comprised of a computer, software programs, and data that emulate the behavior of a real machine connecting to the network, yet the system is actually isolated and meticulously monitored. All attempts to communicate with the honeypot are considered hostile, as no reason can justify access of legitimate users to any given honeypot.

Honeypot Deployment Onto The Tor Network:

For the purpose of the study, the researchers used three forms of internet based honeypots, as well as a system based honeypot. Each of the four honeypots was installed on a single virtual machine (VM) that was hosted on the research’s premises. Using virtual machines allowed for reversion of honeypots to the clean state, in case they had been compromised. All honeypots were hosted on the Tor network in the form of Tor websites, or hidden services.

All used VMs were fully patched to shield the honeypots against privilege escalation; in other words, an attacker who successfully took down any of the used machines would not have access to modify any of the system’s files and would only be able to view the content of some directories.

A group of firewall rules were used to restrict the networking capabilities of the attackers. Particularly, all outgoing and incoming connections to all ports were blocked, apart from the ones needed by Tor to run, and the ports associated with the services explicitly offered by the researchers. The firewall was also set up to prevent denial-of-service attacks by enforcing strict rate limits.

Types of attacks:

During the seven months throughout which the experiment was conducted, 287 files were uploaded onto the used honeypots by attackers. The authors of the paper classified the attacks detected into three categories:

Scattered attacks:

Conventional search engines sometimes index pages from the dark web via Tor2web proxies. Accordingly, websites on Tor can receive a portion of the background noise of various automated attacks that hit the surface web, scattered via the proxies that represent forms of gateways between the surface web and the deep web.

Automated attacks via Tor:

The honeypots received at least 1,500 attempts for path reversal. As could be concluded from the User Agent, hackers were most probably using the scripting engine “NMap” to scan their targets. The honeypots received multiple scan attempts to retrieve the Tor service’s private key, which was voluntarily hosted on the root directory of the web applications used in the experiment.

During the period of operation of the honeypots, the researchers detected 400 attempts to fetch the Tor’s service private key.

Manual attacks:

This category included more sophisticated attacks. Attackers launching manual attacks connected via the Tor network, rather than via Tor proxies. Post-exploitation actions performed by attackers included, checking local databases, phishing php.info and system files including passwd, crontab, pam.conf and fstab

The researchers also detected 71 file downloads via FTP. Interestingly, attackers first communicated with the SSH server to send real usernames for login, mostly because this occurs automatically by SSH clients. Attackers then killed the active session and reconnected using valid usernames phished from the honeypot documents.

Get the latest Bitcoin News on The Bitcoin News
Our Social Networks:
Facebook Instagram Pinterest Reddit Telegram Twitter Youtube