So to recap, Part 1 of this subject covered the deep web and its relationship to analytics, and the dark web and its relationship to nefarious activity in brief. As part of this week’s fun, I thought I would introduce you to Daisake Inoue. I met him several years ago at a VisWeek conference and was impressed with a design he and his team created. Daisake created a system called Daedulus to interface with JP-CERT’s (Computer Emergency Response Teams- Japan) Nicter.

Here is Daedulus: NICT Daedalus Cyber-Attack Alert System

You’ll see Daisake politely showing off his skillz almost immediately. The center sphere represents the internet as a focal point (not an empirical representation) and then traffic (at the packet level) extends to satellite rings circling the internet. One ring lists the DNS (Domain Name Server), the rest are port numbers (80, 50, etc.), with the inner portion of the ring representing IPs accessing the DNS via ports and tracking incoming IP addresses from the internet. You’ll note some rings have black areas. That’s where unused IP addresses reside. “Dark web” bounces. It’s a bounce in on unused addresses and then bounce out to a live site. In summary, there are systems out there than can track this behavior. Before we move on to Hyperboria, lets look at one more case study.

This one was conducted by Philipp Winter and Stefan Lindskog at Karlstad University, appropriately titled “Spoiled Onions”. They created an exit relay scanner to determine if they could isolate patterns within relay behavior. They knew from observation that some do more work than others (probably dedicated relays) and sought to expose relays used to launch malicious attacks against non-Tor users, essentially using Tor as a primitive bot-net and circumventing the BadExit flag (for all you dorks out there).

Wired did a piece on this and they outed which relays dominated the malicious attack table. To no one’s surprise, it was Russia. I’m sure most of you suspected the USA did this, because after all, Edward Snowden  and Glen Greenwald said so. In fact, if you look closely at the largest attackers on Nicter, you’ll see the PRC and Russia are the largest attackers. No surprise here either.

Now…why in the world would the NSA need to monitor all this activity? It’s all benign right? Poor down-trodden average people who need to escape their governments use Tor. Not one bad thing comes from decentralized state-usurping collectivism. The sad thing is, about 10% of the people on this site are likely using a “zombie,” a bot used in a bot-net attack.  Despite your AV programs.  Food for thought.