Tor is a unique overlay network that was developed to provide anonymous online communications for TCP based applications. The Tor network is currently serving hundreds of thousands of users, helping them to conceal their identity while surfing the internet. Even though the Tor network is currently mainly used to bypass internet censorship in countries governed by oppressive regimes, the anonymity it offers also provides access to hidden services, such as darknet marketplaces, which facilitate trading of illicit drugs, pedophilia, counterfeit documents, and much more. This network that promotes users’ privacy also harbors a whole new side of online violence, allowing various forms of botnets to go under cover, distribute spam, and undergo distributed denial of service attacks (DDoS), among other forms of cybercriminal activities.
A recently published paper proposed a new technique and method for the detection and classification of malicious traffic in order to protect users against potential threats and to develop techniques to trace various forms of malicious code being transmitted over the Tor network. The study aimed at designing and implementing a solution to the rapidly growing problem of malicious traffic over Tor, proposing forensic methods and techniques that can protect the network against malicious traffic, while also preserving the anonymity and privacy of non-malicious traffic.
Proposed method for detection of malicious Tor traffic:
The method used in this research relied on a group of Tor servers. The researchers processed the network traffic and matched the source as well as the destination of each connection to the list of Tor servers. The detection method was implemented on top of Bro, which is a passive traffic analyzer that examines all traffic in order to detect any signs of malicious activity.
To detect if the connection is destined to Tor network, the researchers checked if the connection was established via a host from their predefined list of network servers, therefore they checked the source IP address through the is_local_addr function, which would return true if an address matches one of the defined local networks, or false if not. Thereafter, they checked if the destination IP address is present in t_tor_server table, which includes all publically published IP addresses of Tor servers. When a match is found, the connection is established to TOR network, but, before an alert can be raised, the researchers have to check if the source IP address does not exist in the t_suppress_tor_alert table, whose main purpose is to suppress the alerts to one alert about the same IP address (same Tor client) per day.
An alert email is then sent about Tor connection detection to RT (Request Tracker) where the network security team can undergo additional forensics and react to it. This detection method is one of other detection methods used in advanced persistent threat (APT) attack life cycle. The output of this detection method will be matched with the outputs of other detection methods to raise an alert on APT attack detection and identify malicious forms of traffic.
Results of the proposed method:
The researchers used their proposed method to monitor the campus real-time traffic for Tor connections. A log file for detected Tor connections was set up. Also, the researchers set up a server to host their detection method and passively analyze the campus live traffic. The analysis set up was used to monitor Tor traffic for one whole month. The list of hosts communicating via Tor were correlated with the results obtained via the domain flux detection method. This set up detected 24 hosts using Tor and 31 hosts using domain flux. Of those, 13 hosts were identified to use Tor as well as domain flux, which means that they were infected with malware. The researchers also applied their proposed methodology on packet capture (pcap) files which include real and long-lived forms of malware traffic, and they managed to prove that the methodology is effective in identifying malware activities over the Tor network.
The research presented a methodology for identifying malware traffic transmitted over the Tor network. The proposed methodology, which relies on a list of Tor servers, has proven to be effective in identifying malicious traffic in a campus live traffic network setting. The researchers suggested correlating the output of their proposed detection method with the outputs of other detection methods in future research in order to raise an alert for APT attack detection.