Vous êtes sur la page 1sur 34

1

Content and popularity analysis


of Tor hidden services
Ivan Pustogarov, University of Luxembourg
30 June 2014

Summary (1/2)
- 39824 hidden service descriptors on
4th February 2013
-- Port scanning
-- Popularity

- Content analysis of 3050 HTTP


services

Summary (2/2)
- A good chunk of Tor hidden services are
not bad
- Massively used by botnets
- Most popular hidden services are shady
- One can catch clients of those shady
services

Tor hidden services


T or

Consensus

TLS

Client

TLS

Guard

T or hidden services

TLS

M iddle

Exit

Server

criptors on

HT T P

T or Rendezvous Protocol

T or Rendezvous Protocol

T or Rendezvous Protocol

hidden services are

otnets
services are shady
s of those shady

T or Rendezvous Protocol

T or Rendezvous Protocol

Responsible Hidden Service Directories

Shadowing
A technique described in [1] allowed us
to collect onion addresses fast and
cheaply
[1] Trawling for Tor Hidden Services: Detection,
Measurement, Deanonymization, IEEE Symposium on
Security and Privacy

Responsible Hidden Service Directories

Tor

TLS

Client

TLS

TLS

Guard

Middle

Exit

Server

Consensus

Tor hidden services

10

11

12

13

Tor Rendezvous Protocol

14

Tor Rendezvous Protocol

15

Tor Rendezvous Protocol

16

Tor Rendezvous Protocol

17

Tor Rendezvous Protocol

18

Responsible Hidden Service Directories

19

Responsible Hidden Service Directories

20

Shadowing
A technique described in [1] allowed us
to collect onion addresses fast and
cheaply
[1] Trawling for Tor Hidden Services: Detection,
Measurement, Deanonymization, IEEE Symposium on
Security and Privacy

21

Statistics
Tor

4,027

443-https

1,366

22-ssh

1,238
385

4050

138

6667-irc

113

- 8,153 tried
- Were able to connect to 6,579 using
HT T P/HT T PS
- 3529 were inappropriate for classification

886

other

6
1

15

8
4

7
3

er

an

n
lia

th
O

Ita

p
Ja
es
e

es

h
nc

nis

h
lis
Po

e
Fr

a
Sp

gu

an

sia

rtu
Po

s
Ru

15,000

h
lis

10,000

m
er
G

5,000

g
En

y
er
th og
O nol
ch
Te s
t
or ibs
Sp al l
it
ig
D ce
n
ie
Sc s
e
am
G ces
e
i
ar
rv
dw
Se
ar
t
,H
Ar are
fw
So ng
ki ty
i
ac
H ym
on
An rity ials
r
cu to
Se ,Tu
s
Q
FA on
p it
ea fe
W ter
un
Co cs
i
lit
Po s
g
ru
D
t
ul
Ad

11009-TorChat

72

80-http

17

I nt er ne

84

Topics distribution, %

HTTP c lassific ation

13,854

55080-Skynet

Mevade botnet
#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

RQSTS
13714
11582
11315
7324
7183
6852
6528
4941
3746
3678
2573
1950
1863
1665
1631
1481
1326
1175
1094
1021
942

Addr
uecbcfgfofuwkcrd.onion
arloppepzch53w3i.onion
pomyeasfnmtn544p.onion
lqqciuwa5yzxewc3.onion
eqlbyxrpd2wdjeig.onion
onhiimfoqy4acjv4.onion
saxtca3ktuhcyqx3.onion
qxc7mc24mj7m4e2o.onion
mwjjmmahc4cjjlqp.onion
mepogl2rljvj374e.onion
m3hjrfh4hlqc6 *** .onion
ua4ttfm47jt32igm.onion
opva2pilsncvt *** .onion
nbo32el47o5cl *** .onion
firelol5skg6e *** .onion
niazgxzlrbpevgvq.onion
owbm3sjqdnndmydf.onion
silkroadvb5piz3r.onion
candy4ci6id24 *** .onion
x3wyzqg6cfbqrwht.onion
4njzp3wzi6leo772.onion

Desc
Goldnet
Goldnet
Goldnet
Goldnet
Goldnet
< n/a>
Goldnet
< n/a>
BcMine
Skynet
Adult
Skynet
Adult
Adult
Adult
Skynet
Skynet
Silk Road
Adult
Skynet
Skynet

#
22
23
24
25
26
27
28
29
30
...
34
...
47
...
62
...
157
...
250
...
547

RQSTS
899
898
889
781
746
694
667
585
542
...
453
...
255
...
172
...
55
...
30
...
10

Addr
qdzjxwujdtxrjkrz.onion
6tkpktox73usm5vq.onion
kk2wajy64oip2 *** .onion
gpt2u5hhaqvmnwhr.onion
smouse2lbzrgeof4.onion
xqz3u5drneuzhaeo.onion
f2ylgv2jochpzm4c.onion
kdq2y44aaas2a *** .onion
4pms4sejqrryc *** .onion
...
dkn255hz262ypmii.onion
...
dppmfxaacucguzpc.onion
...
5onwnspjvuk7cwvk.onion
...
3g2upl4pq6kufc4m.onion
...
x7yxqg5v4j6yzhti.onion
...
torhostg5s7pa2sn.onion

TABLE II
R ANKING OF MOST POPULAR HIDDEN SERVICES

Desc
Skynet
Skynet
Adult
Skynet
< n/a>
FreedomHosting
Skynet
Adult
Adult
...
SilkRoad(wiki)
...
TorDir
...
BlckMrktReloaded
...
DuckDuckGo
...
Onion Bookmarks
...
Tor Host

Opportunistic deanonymisation of clients

Opportunistic deanonymisation of clients

User 1
HSDir

User 2

Mevade botnet
- Popular but no results in search engines
- Port 80 (503 error)
- T hey forgot to disable
Server-status page =)
- 330 KBytes/sec, 10 req\sec
- From uptime: two different physical servers

Mevade botnet
- Command and control connectivity via
T or .onion links
- Seems that the purpose of this malware
network is to load additional malware
onto the system and that the infected
systems are for sale

Mevade botnet

Trac king detec tion


- One entiity has taken over all 6 HSDir's
for a single time period, a month before
the silkroad was taken down by the FBI

Thank you

22

13,854

55080-Skynet
4,027

80-http
443-https

1,366

22-ssh

1,238
385

11009-TorChat
4050

138

6667-irc

113
886

other
0

5,000

10,000

15,000

23

HTTP classification
- 8,153 tried
- Were able to connect to 6,579 using
HTTP/HTTPS
- 3529 were inappropriate for classification

%
24

Internet

84

4
1

2
6
1
1 1
2

3
2

3
1
2
1
3
3

Tor

72

th

ne

er

lia

pa

Ita

Ja
lis

se

es

an

gu

is

ch

an

en

Po

Fr

Sp

r tu

si

an

is

gl

er

us

Po

En

15


17


4
4

8
9
Topics distribution, %
25

y
er
th og
O nol
ch
Te s
t
or ibs
Sp l l
ita
ig e
D
nc
ie
Sc es
am
es
G
e
ic
ar
rv
dw
Se
ar
t
,H
Ar are
fw
So ng
ki ty
i
ac
H ym
on
An rity ials
r
cu to
Se Tu
s,
Q
n
FA
po it
ea fe
W ter
un
Co cs
i
lit
Po
gs
ru
D
t
ul
Ad

RQSTS
13714
11582
11315
7324
7183
6852
6528
4941
3746
3678
2573
1950
1863
1665
1631
1481
1326
1175
1094
1021
942

Addr
uecbcfgfofuwkcrd.onion
arloppepzch53w3i.onion
pomyeasfnmtn544p.onion
lqqciuwa5yzxewc3.onion
eqlbyxrpd2wdjeig.onion
onhiimfoqy4acjv4.onion
saxtca3ktuhcyqx3.onion
qxc7mc24mj7m4e2o.onion
mwjjmmahc4cjjlqp.onion
mepogl2rljvj374e.onion
m3hjrfh4hlqc6 *** .onion
ua4ttfm47jt32igm.onion
opva2pilsncvt *** .onion
nbo32el47o5cl *** .onion
firelol5skg6e *** .onion
niazgxzlrbpevgvq.onion
owbm3sjqdnndmydf.onion
silkroadvb5piz3r.onion
candy4ci6id24 *** .onion
x3wyzqg6cfbqrwht.onion
4njzp3wzi6leo772.onion

Desc
Goldnet
Goldnet
Goldnet
Goldnet
Goldnet
<n/a>
Goldnet
<n/a>
BcMine
Skynet
Adult
Skynet
Adult
Adult
Adult
Skynet
Skynet
Silk Road
Adult
Skynet
Skynet

#
22
23
24
25
26
27
28
29
30
...
34
...
47
...
62
...
157
...
250
...
547

RQSTS
899
898
889
781
746
694
667
585
542
...
453
...
255
...
172
...
55
...
30
...
10

TABLE II

Addr
qdzjxwujdtxrjkrz.onion
6tkpktox73usm5vq.onion
kk2wajy64oip2 *** .onion
gpt2u5hhaqvmnwhr.onion
smouse2lbzrgeof4.onion
xqz3u5drneuzhaeo.onion
f2ylgv2jochpzm4c.onion
kdq2y44aaas2a *** .onion
4pms4sejqrryc *** .onion
...
dkn255hz262ypmii.onion
...
dppmfxaacucguzpc.onion
...
5onwnspjvuk7cwvk.onion
...
3g2upl4pq6kufc4m.onion
...
x7yxqg5v4j6yzhti.onion
...
torhostg5s7pa2sn.onion

R ANKING OF MOST POPULAR HIDDEN SERVICES

Desc
Skynet
Skynet
Adult
Skynet
<n/a>
FreedomHosting
Skynet
Adult
Adult
...
SilkRoad(wiki)
...
TorDir
...
BlckMrktReloaded
...
DuckDuckGo
...
Onion Bookmarks
...
Tor Host

an

#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

Mevade botnet

er

15,000

10,000

is

5,000

gl

En

26

27

Opportunistic deanonymisation of clients

User 1
HSDir

User 2

28

Opportunistic deanonymisation of clients

29

5,000

10,000

15,000

Mevade botnet
#
1
2
3
4
5
6
7
8
9
10
11
12

RQSTS
13714
11582
11315
7324
7183
6852
6528
4941
3746
3678
2573
1950

Addr
uecbcfgfofuwkcrd.onion
arloppepzch53w3i.onion
pomyeasfnmtn544p.onion
lqqciuwa5yzxewc3.onion
eqlbyxrpd2wdjeig.onion
onhiimfoqy4acjv4.onion
saxtca3ktuhcyqx3.onion
qxc7mc24mj7m4e2o.onion
mwjjmmahc4cjjlqp.onion
mepogl2rljvj374e.onion
m3hjrfh4hlqc6*
**. onion
ua4ttfm47jt32igm.onion

Desc
Goldnet
Goldnet
Goldnet
Goldnet
Goldnet
<n/a>
Goldnet
<n/a>
BcMine
Skynet
Adult
Skynet

#
2
2
2
2
2
2
2
2
3
..
3
..

30

Mevade botnet
- Popular but no results in search engines
- Port 80 (503 error)
- They forgot to disable
Server-status page =)
- 330 KBytes/sec, 10 req\sec
- From uptime: two different physical servers

31

Mevade botnet

32

Mevade botnet
- Command and control connectivity via
Tor .onion links
- Seems that the purpose of this malware
network is to load additional malware
onto the system and that the infected
systems are for sale

33

Tracking detection
- One entiity has taken over all 6 HSDir's
for a single time period, a month before
the silkroad was taken down by the FBI

34

Thank you