In the deeper part of the cyberspace, there is a dark and little-known dark area. It is anonymous, hidden, and the search engine cannot search. It is difficult for the regulatory agencies to touch. It is the “dark net.”

The dark network collectively refers to the network that can only be connected by special software, special authorization, or special settings for the computer. The contents of the dark network, such as Tor, I2P, etc., cannot be found using a general browser and a search engine.

It is precisely because of the high degree of anonymity and virtual nature that under the supervision of law and public opinion, the dark network has become a black market on the Internet. It clearly lists various criminal services, and various ethnic groups are engaged in various illegal transactions. Unrestricted information disclosure and fraud are flooding them.

Moreover, the dark network is also used to transmit sensitive information such as politics and economy, and to carry out cyber attacks, even crimes that endanger national security. These risks have always threatened the security of society, enterprises and the state.

In the middle of this year, we released the darknet research report for the first half of 2018. Let’s take a look at the “real” dark net.

——– Text segmentation line ——–


1 basic concept


1.1 Deep web/Dark web/Darknet

Before talking about the dark network, you need to understand the three words “Deep web”, “Dark web” and “Darknet”. Although the media may use them alternately, they actually represent distinct and relevant Internet segments.

“Deep web” refers to pages and services on the server that can be accessed through standard web browsers and connection methods, but these pages and services are not included in mainstream search engines. Search engines do not include deep webs, usually because of incorrect configuration of the website or service, denial of crawling crawling information, need to pay for viewing, registration check or other content access restrictions.

“Dark web” is a relatively small part of a deep web, related to web services and pages that are intentionally hidden. These services and pages cannot be accessed directly using standard browsers and must rely on the Overlay Network, which requires specific access rights, proxy configuration, proprietary software, or special network protocols.

“Darknet” is a framework with limited access at the network layer, such as Tor or I2P. Private VPNs and mesh networks also fall into this category. Network traffic through these frameworks will be blocked. When data is transferred, only the dark network you are connected to and how much data you transfer is displayed, not necessarily the content of the website you are visiting or the data you are referring to. In contrast, it interacts directly with Clean Net or with unencrypted surface network services and deep network services. In this case, the Internet Service Provider (ISP) and network operator between you and the requested resource can see the traffic content you are transmitting.


1.2 The composition of Dark Web

The dark network can only be accessed through networks such as Tor (The Onion Routing) and I2P (Invisible Internet Project).

Tor, also known as the Onion Network, is software for anonymous communication. The name comes from the acronym of the original software project name “The Onion Router”. The Tor network consists of more than 7,000 relay nodes, each relay node. All are provided free of charge by volunteers around the world, and transit through layers of relay nodes to achieve the purpose of hiding the user’s real address and avoiding network monitoring and traffic analysis.

The I2P network is a surface layer network composed of I2P routers with onion routing. The applications created on them can communicate with each other securely and anonymously. It can use both UDP and TCP protocols and supports UPnP mapping. Applications include anonymous Internet access, chat, website building and file transfer.

By knowing the real-time monitoring data of Chuangyu’s “dark-net radar”, the Tor network has about 120,000 onion addresses, and the I2P network public address book has only about 8,000 addresses. The volume is relatively small compared to the Tor network. many.


2 Status of the dark network


2.1 Tor global relay node distribution

As of July 31, 2018, we have statistics on the distribution of global relay nodes. There are a total of 17,635 relay nodes in the world, of which 6386 are running, their average bandwidth is 5.33MB/s, and the maximum bandwidth is 99MB. /s; North America and Europe have more bandwidth than other regions; most of the relay nodes are distributed in North America and Europe, and only six in Hong Kong, China.


Therefore, it can be concluded that the size of the dark network is much smaller than that of the watch network. The bandwidth of the Tor network node is not enough to support the large network traffic. The “iceberg metaphor” of the dark media and the watch network is somewhat exaggerated. .


2.2 Tor network statistics

According to statistics from Tor’s official project, the peak number of onion addresses (version 2 only) in the first half of 2018 was 121,078.


The number of users of the Tor network from China averages 1,159 per day. The peak period is May 5, 2018, reaching 3,951. Most Chinese users of the dark network use the Jet type to access the Tor network.


For about 120,000 dark network domain names, we conducted in-depth research and concluded:

  • Onion domain name survives about 12,000 daily, accounting for only 10% of the total;
  • Onion v2 type domain name has 121451, v3 type domain name only 379;
  • The daily average number of hidden nets is 30;


2.3Tor dark network main category


By knowing the monitoring of Chuangyu’s “dark-net radar”, we classify the dark nets into 12 categories, as shown in the above figure. By integrating the titles of the various independent domain names, the keywords in the website title are extracted. The frequency of occurrence, generating a word cloud:

  • Commercial categories account for 18.98%; including trading markets, self-operated stores, third-party hosting platforms (website guarantees); most of the symbols are credit cards, guns, drugs, passports, electronic products, counterfeit, euro bills, Amazon gift cards, decryption services , killer services, bitcoin money laundering services, etc.; most websites use Bitcoin for trading.
  • Personal categories accounted for 5.90%; including personal blogs, pages, books, etc.
  • The social class accounts for 4.57%; including forums, dark web wikis, etc.
  • Other languages ​​(non-English) accounted for 3.82%;
  • Hosting classes accounted for 3.05%; mainly for the dark network service host’s propaganda station, introducing its machine performance and architecture.
  • Adults accounted for 2.87%;
  • Technology category accounted for 2.74%; sharing technology / selling hacking technology / sale 0day / exploit
  • Core websites account for 1.91%; including dark web search engines, dark web link directories, etc.
  • Communication category accounted for 1.79%; including chat room, mail service, dark network mailbox
  • Political and religious categories accounted for 1.34%; including dark network news media organizations, global WikiLeaks, party scandals, radical speech, missionary and so on.
  • Gambling category accounted for 0.46%; online casinos.
  • Other categories (art, music, landing, no content, blocked, video, etc.) accounted for 52.57%;

You can see that the words “Freedom Hosting II – hacked” occupy a high proportion in all major categories. The reason is that Anonymous attacked Freedom Hosting II, the largest Tor network hosting service provider at the time, because it provided hosting services to a large number of websites that shared child pornography. Directly causing approximately 20% of the Tor website to close.


2.4 Tor Dark Web Service Distribution

We counted the top 20 web servers. Most of the dark web sites use Nginx and Apache as web servers, and about 1% of the dark webs use Cloudflare as their DDoS protection.



2.5 Tor dark network open port distribution

Http 80 port accounted for 69.55%; smtp 25 port accounted for 23.24%; https 443 port accounted for 2.88%; ssh 22 port accounted for 1.68%.



2.6 Tor dark network language distribution

Through the machine learning analysis of the website’s title and content, we have classified the dark network into a language. There are 80 languages ​​in the Tor dark network. English is still the most popular language in the dark network, accounting for 82.02%; followed by Russian 3.77%, Danish 2.22%, German 1.73%, Latin 1.26%, Spanish 1.26%, French 1.13%, Portuguese 1.00%, Chinese 0.75%, Italian 0.60%.



3 Dark network threats

Due to the anonymous nature of the dark network, the dark network is full of fraud, illegal transactions, unrestricted information disclosure, and even crimes that endanger national security. These risks have always threatened the security of society, enterprises and the country. In the first half of 2018, there were a large number of suspected data breaches on the Internet in China, which were spread on the dark network, for example: “After a video website’s intranet permissions and thousands of user database dark network sales incidents”

  • On March 8, 2018, hackers published 15 million user data on a video site in the Dark Web Forum.
  • On June 9th, 2018, the hacker released the SHLL+ intranet permission of a video website in the dark web forum and announced 300 user data.
  • In the early morning of June 13, 2018, a video website officially announced that the website was hacked, and nearly 10 million user data were leaked, reminding users to change the password.
  • 10 million student information in a province sold on the dark network
  • A courier company 1 billion express logistics data dark network for sale

A series of incidents of disclosure of private information have caused widespread dissemination and concern in the Chinese Internet.

The dark network has also become an important source of various threat intelligence information.

From the data we monitor, the dark network is still showing a slow growth trend. With the increase of the number of users of the dark network, the development of the black market and the encrypted digital currency, more hackers are carrying out various activities driven by the interests. The illegal transactions previously transmitted through the watch network (Internet) were more transferred to the dark network, and various techniques were used to avoid tracking. It has caused certain difficulties for supervision and investigation.

In the face of the growing dark-net threat, it is known that the Chuangyu 404 security research team will continue to use technical means to map dark networks, provide threat intelligence, track and counter threats from the dark network, for a better and safer Internet.

Orignal link: