– Non-DDOS attacks
Any vector that does not require a large flood of traffic could be
effectively routed through Tor. This covers most attacks with the
notable exception of DDoS. If I were trying to properly hack, not
just DoS, Deflect – I would use Tor.
– C&C functions
Probably we wouldn’t observe this, but it goes without saying the Tor
can be used for communicating with botnet C&C. That’s what I would
do.
– Monitoring of site availability and other DDoS-related functions
Before and during an attack, it must be of interest to monitor the
availability of the target site. Tor could be useful here… maybe I
would use it to monitor the attacked site.
– Regular browsing by Tor users
In any attempt to monitor Tor traffic to alert us to an immanent
attack, care must be taken to filter out normal traffic as much as
possible. ML or significance algorithms would probably do the job
best. Sniffles may also provide inside: an increase in Tor traffic
to ports other than 80/443 might be adequate without further
computation.
– Actions for more detailed research:
o Install license for Elastic Graph which arrived today to facilitate
significance analysis o Get sniffles online and see what we can see
(following a subsequent, ie monitored, attack) o Apply significance
or other analysis to Tor traffic patters in and out of proximity to
an attack
CASE STUDY: BLM
The first image shows banjax bans for blacklivesmatter.com on top, and
torified traffic to blacklivesmatter.com on the bottom, both over the
last 8 weeks.
Again, the second image shows banjax bans for blacklivesmatter.com on
top, and torified traffic to blacklivesmatter.com on the bottom, but
zoomed in to a period approximately 1 week before and 1 week after the
large spike in bans.
Some observations:
– There appears to be a sharp uptick in Tor traffic adjacent to the
incident
– Torified traffic continues long after the attack appears to have
ended: perhaps we are looking at a coincidence, or perhaps another
attack is being planned/prepared, or perhaps both.
– The number of banned IPs is two orders of magnitude larger than the
number of torified hits (note that unique IPs is a more or less useless
metric for torified traffic, and also that the total hits *from* the
banned IPs above will be quite a bit larger than the number of banned
IPs)
– The number of banned IPs is, in fact, far larger than the number of
Tor exit nodes.
Caveats:
– BLM have not been with us long
– Only one site is analysed here, superficially
– We are looking at traffic to ports 80/443 which is not filtered by
our providers
QUICK CASE 2: www.btselem.org
A small uptick in bans corresponding with a large spike in torified
traffic. Then a large uptick in bans, with no corresponding increase
in torified traffic. The attack appears to either subside or be
successfully blocked, then another smaller attack occurs – this time
with a simultaneous uptick in torified traffic. Hard to draw
conclusions, but not inconsistent with the theory that a correlation
may exist. A clear lesson from this is example, IF a correlation is
proven or assumed, is that time between a spike in torified probing and
an actual DDoS will vary.
USELESS AGGREGATE GRAPHS:
Without separating by HTTP Host (or anything else), the data is mushed
into useless noise.
