The Tor anonymity network continues to grow and that can be a good thing, but over a 72-day time frame, two researchers found at least 110 “misbehaving” and potentially malicious hidden services directories (HSDirs).
An HSDir is a Tor node that receives descriptors for hidden services, which can be servers configured to receive inbound connections only through Tor, meaning their IP address and network location remains hidden – and, upon request, directs users to those hidden services it “knows” about.
Anybody can set up a HSDir and start logging all hidden service descriptors published to their node.
“Tor’s security and anonymity is based on the assumption that the large majority of its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs),” Northeastern University Professor Guevara Noubir and Ph.D. student Amirali Sanatinia said in a paper.
“After the deployment of our system and based on our experimental results during the period of 72 days, we detect and identify at least 110 such snooping relays. Furthermore, we reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback,” the researchers said in their paper.
“Bad” HSDirs can end up used for a variety of attacks on hidden services: From DoS attacks to snooping on them.
They set up honey onions (honions), a framework able to detect when a Tor node with HSDir capability has been modified to snoop into the hidden services that it currently hosts.
To cover all or almost all HSDirs on the network, they set up 1500 honions, which logged all requests received from the various HSDirs. By analyzing the nature of these requests and when they were made, they were capable of identifying potentially malicious HSDirs.
“Most of the visits were just querying the root path of the server and were automated. However, we identified less than 20 possible manual probing, because of a query for favicon.ico, the little icon that is shown in the browser, which the Tor browser requests. Some snoopers kept probing for more information even when we returned an empty page,” the researchers said.
There was quite a diversity among the detected attack vectors: Forced hidden services indexing, SQL injections, username enumeration, cross-site scripting, targeting of Ruby on Rails framework, among others.
Of the over 110 malicious HSDir more than 70 percent were on cloud infrastructure, which makes identifying their operators much more difficult.
“Around 25 percent are exit nodes as compared to the average, 15 percent of all relays in 2016, that have both the HSDir and the Exit flags. This can be interesting for further investigation, since it is known that some Exit nodes are malicious and actively interfere with users’ traffic and perform active MitM attacks,” they said.
“Our experimental results indicate that during the period of the study (72 days) at least 110 such nodes were snooping information about hidden services they host,” the researchers said in their paper. “Based on our observations not all snooping HSDirs operate with the same level of sophistication. For example, some do not visit the hosted honions immediately to avoid detection by daily honions, our weekly and monthly honions can detect them. We believe that behavior of the snoopers can be modeled and studied in more detail. Furthermore, we reveal that more than half of them were hosted on cloud infrastructure making it difficult to detect malicious Tor nodes.”