Malicious DNS Traffic in Tor: Analysis and Countermeasures

Michael Sonntag

Abstract

Anonymization is commonly seen as useful only for people that have something to hide. Tor exit nodes are therefore associated with malicious behaviour and especially the so-called “darknet”. While the Tor network supports hidden services, and a large share of these serve illegal purposes, most of the traffic in the Tor network exits to the normal Internet and could be, and probably is, legal. We investigate this by taking a look at the DNS requests of a high-bandwidth exit node. We observe some malicious behaviour (especially DNS scans), questionable targets (both widely seen as immoral as well as very likely illegal in most countries), and careless usage. However, all these, while undoubtable undesirable, make up only a small share of the exit traffic. We then propose some additions to reduce the detected malicious use.

Download


Paper Citation


in Harvard Style

Sonntag M. (2019). Malicious DNS Traffic in Tor: Analysis and Countermeasures.In Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-359-9, pages 536-543. DOI: 10.5220/0007471205360543


in Bibtex Style

@conference{icissp19,
author={Michael Sonntag},
title={Malicious DNS Traffic in Tor: Analysis and Countermeasures},
booktitle={Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2019},
pages={536-543},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0007471205360543},
isbn={978-989-758-359-9},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Malicious DNS Traffic in Tor: Analysis and Countermeasures
SN - 978-989-758-359-9
AU - Sonntag M.
PY - 2019
SP - 536
EP - 543
DO - 10.5220/0007471205360543