Malicious DNS Traffic in Tor: Analysis and Countermeasures
Michael Sonntag
2019
Abstract
Anonymization is commonly seen as useful only for people that have something to hide. Tor exit nodes are therefore associated with malicious behaviour and especially the so-called “darknet”. While the Tor network supports hidden services, and a large share of these serve illegal purposes, most of the traffic in the Tor network exits to the normal Internet and could be, and probably is, legal. We investigate this by taking a look at the DNS requests of a high-bandwidth exit node. We observe some malicious behaviour (especially DNS scans), questionable targets (both widely seen as immoral as well as very likely illegal in most countries), and careless usage. However, all these, while undoubtable undesirable, make up only a small share of the exit traffic. We then propose some additions to reduce the detected malicious use.
DownloadPaper Citation
in Harvard Style
Sonntag M. (2019). Malicious DNS Traffic in Tor: Analysis and Countermeasures.In Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-359-9, pages 536-543. DOI: 10.5220/0007471205360543
in Bibtex Style
@conference{icissp19,
author={Michael Sonntag},
title={Malicious DNS Traffic in Tor: Analysis and Countermeasures},
booktitle={Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2019},
pages={536-543},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0007471205360543},
isbn={978-989-758-359-9},
}
in EndNote Style
TY - CONF
JO - Proceedings of the 5th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Malicious DNS Traffic in Tor: Analysis and Countermeasures
SN - 978-989-758-359-9
AU - Sonntag M.
PY - 2019
SP - 536
EP - 543
DO - 10.5220/0007471205360543