Abstract
During 2013 the Tor network had a massive spike in new users as a botnet started using Tor hidden services to hide its C&C (Command and Control) servers. This resulted in network congestion and reduced performance for all users. Tor hidden services are attractive to botnet herders because they provide anonymity for both the C&C servers and the bots. The aim of this paper is to present a superior way that Tor hidden services can be used for botnet C&C which minimises harm to the Tor network while retaining all security benefits.
Similar content being viewed by others
Notes
While the specification [12] states we should round down to the nearest hour it is not always done in practice.
Note that when they’re implemented, V3 hidden services won’t require this step as an .onion address will consist of a hidden service’s whole public identity key encoded in base32. This means there will be no danger of hash collisions as there is with the current hidden service address scheme.
References
arma: [Tor Blog] How to Handle Millions of New Tor Clients. https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients (2013). Accessed 05 Sept 2013
Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: Proceedings of the First Conf. on First Workshop on Hot Top. in Underst. Botnets, HotBots’07, pp. 11–11. USENIX Association, Berkeley (2007). http://dl.acm.org/citation.cfm?id=1323128.1323139
Hopper, N.: Protecting Tor from botnet abuse in the long term. Tech. Rep. 2013–11-001, The Tor Project (2013). https://research.torproject.org/techreports/botnet-tr-2013-11-20
Mathewson, N.: Next-Generation Hidden Services in Tor [Draft]. https://gitweb.torproject.org/torspec.git/blob_plain/398c01be40f957c07d23b4ef6192214aee505703:/proposals/224-rend-spec-ng.txt (2013). Accessed 23 June 2014
msft-mmpc: Mevade and Sefnit: Stealthy Click Fraud. http://blogs.technet.com/b/mmpc/archive/2013/09/25/mevade-and-sefnit-stealthy-click-fraud.aspx (2013). Accessed 03 Aug 2014
msft-mmpc: Tackling the Sefnit Botnet Tor Hazard. http://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx (2014). Accessed 03 Aug 2014
Nazario, J.: BlackEnergy DDoS Bot Analysis. Arbor Networks, Burlington (2007). http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
Protect the Graph: Sefnit is Back. https://www.facebook.com/notes/protect-the-graph/sefnit-is-back/1448087102098103 (2014). Accessed 03 Aug 2014
Stock, B., Gobel, J., Engelberth, M., Freiling, F.C., Holz, T.: Walowdac-analysis of a peer-to-peer botnet. In: Comput. Netw. Def. (EC2ND), 2009 Eur. Conf. on, pp. 13–20. IEEE (2009).
The Tor Project: Tor Metrics. https://metrics.torproject.org/ (2014). Accessed 08 July 2014
The Tor Project: Tor Project: Anonymity Online. https://www.torproject.org/ (2014). Accessed 09 July 2014
The Tor Project: Tor Rendezvous Specification. https://gitweb.torproject.org/torspec.git/blob_plain/7901fc11a9ecc6e857bf860fecb5ed25bd073378:/rend-spec.txt (2014). Accessed 23 June 2014
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Kang, L. Efficient botnet herding within the Tor network. J Comput Virol Hack Tech 11, 19–26 (2015). https://doi.org/10.1007/s11416-014-0229-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0229-4