Malicious Dns Traffic In Tor: Analysis And Countermeasures

Anonymization is commonly seen as useful only for people that have something to hide. Tor exit nodes are therefore associated with malicious behaviour and especially the so-called "darknet". While the Tor network supports hidden services, and a large share of these serve illegal purposes, most of the traffic in the Tor network exits to the normal Internet and could be, and probably is, legal. We investigate this by taking a look at the DNS requests of a high-bandwidth exit node. We observe some malicious behaviour (especially DNS scans), questionable targets (both widely seen as immoral as well as very likely illegal in most countries), and careless usage. However, all these, while undoubtable undesirable, make up only a small share of the exit traffic. We then propose some additions to reduce the detected malicious use.