Tor connections to hidden services could be easy to de-anonymize

It's safer to access Internet websites over Tor than hidden services, researchers said

Identifying users who access Tor hidden services -- websites that are only accessible inside the Tor anonymity network -- is easier than de-anonymizing users who use Tor to access regular Internet websites.

Security researchers Filipo Valsorda and George Tankersley showed Friday at the Hack in the Box security conference in Amsterdam why Tor connections to hidden services are more vulnerable to traffic correlation attacks.

One of Tor's primary goals is to provide anonymity for Internet users. This is achieved by routing their Web traffic through a series of randomly chosen nodes or relays before passing it back onto the public Internet.

The nodes that make up the Tor network are run by volunteers and they can have specialized roles. There are nodes called entry guards that serve as the first hops onto the network and there are also exit relays that pass the traffic back onto the Internet.

Internet servers that receive traffic from Tor users won't see the real IP (Internet Protocol) addresses of those users. What they'll see will be the IP addresses of randomly chosen Tor exit nodes.

The Tor hidden service protocol extends the anonymity protection to servers as well. It makes it impossible for users to see the real IP address of a server that runs a Tor hidden service, like for example, a website.

Hidden services use addresses that end in .onion, a pseudo top-level domain that doesn't exist on the Internet and only resolves inside the Tor network. This anonymity protection for both servers and users makes hidden services attractive to political activists in countries where free speech is not well protected or where Internet surveillance is common, but also to criminals who use such websites to hide their activities from law enforcement.

The infamous online bazaar Silk Road where users sold drugs, arms and other kinds of illegal goods and services, operated as a Tor hidden service. The FBI eventually shut it down and arrested its owner, but other similar marketplaces have taken its place.

The biggest threat to the Tor network, which exists by design, is its vulnerability to traffic confirmation or correlation attacks. This means that if an attacker gains control over many entry and exit relays, they can perform statistical traffic analysis to determine which users visited which websites.

The Tor developers are closely monitoring exit relays and removing bad ones from the network, so it's relatively hard for someone to pull off such an attack. In addition, if an attacker wants to identify Tor users visiting a specific Internet website, they'd have to gain control over a very large number of exit and entry nodes in order to increase their chance of success, since the relays will be different for every connection.

That's not the case with Tor hidden services and in fact attackers could quite easily and with 100 percent reliability take control of all the rendezvous points between Tor users and specific Tor hidden services, at least for a period of time.

Tor hidden services rely on nodes with a special HSDir (hidden service directory) flag to advertise themselves on the Tor network so they can be discovered by users. Every hidden service will select six HSDir nodes to serve as its rendezvous points on a given day. This selection is done from a pool of around 4,000 nodes based on a predictable date-dependent formula.

With this formula both a Tor client and a Tor hidden service should select the same 6 HSDirs on a particular day. However, the researchers found that they could use brute force techniques to generate the keys needed for their own nodes to take up those rendezvous positions for a specific day.

The researchers managed to place their own nodes as the 6 HSDirs for facebookcorewwwi.onion, Facebook's official site on the Tor network, for the whole day on Thursday. They still held 4 of the 6 spots on Friday.

Brute-forcing the key for each node took only 15 minutes on a MacBook Pro and running the Tor relays themselves cost US$62 on Amazon's EC2 service.

New nodes receive the HSDir flag automatically after being up for around five days and attackers could set up nodes to become the HSDirs for a particular hidden service for the next five days with around US$200, the researchers estimated.

This technique will give attackers control over one end of the connection, but in order to perform traffic correlation attacks the attacker would also need to have visibility into the entry point. This can be achieved by someone who can monitor users' traffic before it enters the Tor network.

For example, a government monitoring its Internet users through ISPs could use this attack to perform traffic analysis and determine who visited a dissident site hosted on Tor. A law enforcement agency could do the same with the help of ISPs to identify who is visiting an illegal website that runs as a Tor hidden service.

The goal of the two researchers was to prove that "hidden service users face a greater risk of targeted de-anonymization than normal Tor users," because it's much easier to reliably control all HSDirs for a specific hidden service than to control all Tor exit relays that might be used to access a website.

Runa Sandvik, a security researcher and former Tor developer who was at the conference, agreed that it's technically easier to pull off such an attack than to monitor Tor exit traffic, but pointed out that the Tor Project is aware of the issue and has been working on a fix for some time.

There is a proposal for the next generation of hidden services that will address not only this problem, but also other potential issues, Sandvik said. In the meantime, the Tor developers have tools that can detect relays trying to attack users of Tor hidden services, she said.

A change in Tor that will be implemented soon will make it harder for new nodes to become HSDirs by forcing them to obtain a stable flag first, Valsorda and Tankersley said. This will require nodes to be online for a longer period of time before they can become HSDirs so it will make the attack more expensive, but not technically harder to pull off, they said.

While users can't do much to defend themselves against this, the operators of Tor hidden services do have one option. They could use the attack themselves so that their own nodes will become HSDirs for their own hidden services.

This won't prevent others from trying to take over the rendezvous positions, because the attack is essentially a race condition. However, if this happens, it will be very easy to detect that an attack is going on, the researchers explained.

They released the brute-force tool they created for the attack on Github, as well as a separate HSDir analysis tool that can potentially detect such attacks.

Join the CSO newsletter!

Error: Please check your email address.

Tags The TOR Projectonline safetysecurityHITBExploits / vulnerabilitiesprivacy

More about FacebookFBI

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place