The Deep Web vs. Network Security Monitoring

Friday, August 31, 2012

Dan Dieterle


We have all heard the horror stories of the Deep Web. You know, the evil internet underground where cyber criminals and sexual predators lurk.

Where boogiemen and anarchists trade secret coded messages through encrypted channels.

But is it really that bad?

(click image to enlarge)

Into the Void

The “Deep Web”, Dark Web or hidden internet, is a massive collection (some say up to 500 times the size of the regular internet) of sites and databases that don’t show up in standard search engines like Google.

One of the easiest ways to connect to this network is via Tor, which ensures data encryption and anonymity. There are several Deep web search engines and portals that are only accessible through Tor. They have long cryptic names that usually end in “.onion”.

Does the dark web stand up to it’s dark side nomenclature? Absolutely! View any of the portal entrance menus and you’ll instantly know that you are not in Kansas anymore. Criminals, hitmen, drug dealers and others openly ply their trade.

And don’t even bother putting normal “g-rated” terms into a Deep Web search engine. It most likely won’t find a response, or it will find a very deviant response for what you typed in.

So, is this a place that you want ANYONE on your corporate network to visit? NO WAY. Though many use Tor for legitimate purposes, the deep web just isn’t that kind of place. But what can you do?

Enter Network Security Monitoring

You do have a network monitoring system don’t you? If you don’t have a web proxy to control and block suspicious traffic, you can still use your network security monitoring system to catch Tor traffic.

As a test, I downloaded Talis, the Unix distro that comes all wired to run Tor out of the box. To it’s credit, it is one of the fastest tor implementations that I have seen by far. Surfing normal websites and searching with Google was relatively quick, not like the normal Tor use that I am used to on my Ubuntu or Windows systems.

I visited a couple of the “Deep Web” portals and even used the Torch search engine. Other than being painfully slow accessing these portals, I was actually able to find some legal material to use as a test! I grabbed some hardware “how-to” images and a couple goofy .pdf files.

I then pulled up my security server console to check to see if it caught anything:

(click image to enlarge)

It sure did! I received several alerts concerning my trip into the void. The traffic tripped several “known Tor node” rules. The Talis system IP address is listed along with the rule alerts. A security analyst monitoring this network could easily tell what corporate system was using the Tor network, and when they used it.

For further analysis, I grabbed the network packet capture for the session and imported it into my Netwitness Investigator program. It too detected the Tor traffic:

(click image to enlarge)

It didn’t throw an alert though, which I really thought it would. Suspicious traffic usually shows up at the top of Investigator, under “alerts”.

I did notice something else that did bother me. To be extra sure, I ran the packet capture through both Xplico, and Network Miner. The results from these backed up my initial findings.

There were no pictures… Or text documents…. Or pdf files… found in the packet capture. As a matter of fact there was 0% detected unencrypted text. Yikes!

With just standard packet capture and detection, without SSL decryption, there would be no way to determine what was viewed or downloaded from the Tor network or worse the Deep Web.


The Tor network creates an encrypted channel from your system to the Tor onion routers. The data is then bounced around several servers and then unencrypted at the exit nodes, when the packets leave the Tor network.

Though some businesses use Tor for legitimate purposes, most don’t use it at all. If your corporate users are accessing the Deep Web from work, then this could open up your network to a multitude of malicious threats. And if they are downloading questionable, illegal or copyrighted material this could put your corporation at legal risk.

Record and monitor ALL of your network traffic. This could help you detect issues before they become major problems. Block or monitor suspicious SSL traffic on your network. You may capture Bot command and control communication or someone using your network for less than legal purposes.

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Encryption Enterprise Security internet Search Engine Network Security Monitoring TOR Deep Web
Post Rating I Like this!
Michael Johnson I think you're confusing 'Deep Web' with the 'Dark net'. The former is merely the portion of the web that's not indexed for whatever reason, and not immediately viewable. The latter is made up of Tor, VPNs, and suchlike. Interesting article, though.

One thing I've found is the Tor metrics report massively increased traffic at specific times, and they tend to coincide with news stories related to some anti-piracy legislation or other.
Dan Dieterle "I think you're confusing 'Deep Web' with the 'Dark net'."

Wow, I completely wiffed on that! Thanks for the correction Michael. :)

And the Tor metric info, very interesting.
Carlson lson So many people are asking about these online content writing services and these essay writing wwwdelegateyourassignmentcom tips are also. That’s why I am very happy to using these all writing tips to our new users.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.