More than 100 malicious Tor Hidden Services Directories (HSDirs) were found to be snooping on the services they host, and in some cases, operators were actively using the data collected to attack the services.
While at first blush, the discovery would seem to put another dent in the privacy and anonymity aspects so heavily associated with the Tor network, project representatives say it’s been an “ongoing annoyance” and one that has been addressed in an upcoming design. Developer Sebastian Hahn said code has been written, but a release date is still to be determined. Tor representatives also downplayed the attack, saying for example, that it does not unmask the operator behind a hidden service, which has long been a law enforcement and intelligence agency goal.
The discovery of the snooping services is the work of researchers Amirali Sanatinia, a computer science PhD student at Northeastern University in Boston, and Guevara Noubir, professor at the College of Computer and Information Science at Northeastern. They are scheduled to present their paper “HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs” next week at DEF CON.
The paper describes a framework called Honey onions (HOnions) developed by Sanatinia and Noubir that detects and identifies malicious HSDirs.
The researchers ran their framework in separate daily, weekly and monthly trials between Feb. 12 and April 24 and found 110 malicious HSDirs, most located in the United States, Germany, France, United Kingdom and the Netherlands. The HOnions expose Tor relays with HSDir capabilities that have been modified to spoof on hidden services; the Tor Project estimates there are about 3,000 HSDirs on its network. These directories contain relay information that is used to reach .onion domains while still maintaining a user’s anonymity.
“What the attack allows you to do is learn about the existence of a hidden service,” Tor’s Hahn said. “This does not mean that the identity of the operator is revealed or anything catastrophic like that.”
Hahn said that Noubir’s and Sanatinia’s attack essentially snoops a hidden service’s metadata and tells the attacker that a service exists and when it’s available.
“Just like the address of your house is metadata, the address of a hidden service is the same,” Hahn said. “It is data that is only important to allow the Tor network to connect users with the hidden service, but not otherwise meaningful.”
Noubir told Threatpost that the hidden services directories they’ve labeled as malicious could be run by anyone from researchers studying the dark web, to law enforcement or state agencies investigating or trying to block dark web sites.
“At this stage, hard to tell who is doing what,” Noubir said. “What we could see is there is some diversity in what they are doing. Some are attacking these hidden services, or in some way collecting information about them.”
The researchers said that more than 70 percent of the malicious HSDirs they discovered are hosted on cloud infrastructure, and a quarter are also exit nodes, which is well above the average of 15 percent of all relays. The fact these services are hosted on cloud infrastructure makes it difficult to learn who is behind them. Some of the cloud-based accounts have little to no contact information, or are paid for in Bitcoin, reducing the paper trail behind them. Hahn said the number of exit nodes associated with this research is a bit surprising and could be an indicator that the operators didn’t take necessary care because being an exit is the default configuration.
“The way we’re working on it for the future is by using a stronger cryptographic protocol that does not allow the Tor servers involved in the regular operation of the network to see a portion of the metadata about hidden services,” Hahn explained about the upcoming mitigation.
Those who are snooping, Noubir said, are trying to learn information about the service such as the .onion address where it lives. The paper explained how an attacker could use this information to build a list of potential targets to launch subsequent web-based attacks against hidden services.
“They’re trying to look inside the .onion domain and carry out user enumeration or run cross-site scripting attacks, typical attacks you’d see against regular websites which are maybe more interesting in this context,” he said. “If you’re running a hidden service, you don’t want to be discovered.”
One snooping directory, the paper said, hourly queried a server asking for Apache server status updates, which is provided by mod_status in Apache. Others carried out XSS, SQL injection attacks, and path traversal attacks.
To run their investigation, Noubir and Sanatinia used Honey Onions, a hidden service honeypot, to detect these malicious services. They ran 1,500 at a time—either on a daily, weekly, or monthly basis—with each corresponding to a process running locally that would log visits from these HSDirs. In the paper, the researchers said that most of the 40,000 visits they logged were automated and queried the root path of the server, but they did detect manual probing in about 20 percent of those requests. Some of the snoopers, for example, would not immediately visit a service immediately after hosting them in order to avoid suspicious behaviors that would be detected.