Honey Onions: Exposing Snooping Tor HSDir Relays

Tor is a widely used anonymity network that protects users’ privacy and identity from corporations, agencies and governments. However, Tor remains a practical system with a variety of limitations which can be subverted [1]. In particular, Tor’s security relies on the fact that a substantial number of its nodes do not misbehave. Previous work showed the existence of malicious participating Tor relays. For example, there are some Exit nodes that actively interfere with users’ traffic and carry out man-in-the-middle attacks. In this work we expose another category of misbehaving Tor relays (HSDirs), that are integral to the functioning of the hidden services and the dark web. The HSDirs act as the DNS directory for the dark web. Because of their nature, detecting their malicious intent and behavior is much harder. We introduce, the concept of honey onions (honions), a framework to detect misbehaving Tor relays with HSDir capability. By setting up and deploying a large scale honion over Tor for more than 72 days, we are able to obtain lower bounds on misbehavior among HSDirs. We propose algorithms to both estimate the number of snooping HSDirs and identify them, using optimization and feasibility techniques. Our experimental results indicate that during the period of our work at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. Furthermore, we provide the most likely geolocation map of the identified snooping Tor HSDirs. I. HONION GENERATION & DETECTION In this work, we introduce the concept of honey onions (honions), a framework to expose when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts. We developed several tools, to automate the process of generating and deploying honions in a way that they cover a significant fraction of HSDirs. A key constraint in this process was to minimize the number of deployed honions. This derives primarily from our desire to not impact the Tor statistics about hidden services; specially given the recent surge anomaly (Figure 1). By considering the number of HSDirs (approximately 3000), we could infer that to cover all HSDirs with 0.95 probability, we need to generate around 1500 honions. We decided on three schedules to allow us to detect different snooping behaviors. Namely, daily, weekly and monthly. The daily schedule allows us to detect malicious HSDirs who visit honions shortly after hosting them. The weekly and monthly schedules enables us to detect more sophisticated snoopers who delay their visits to avoid identification. Fig. 1: Recent unexplained surge in the number of Hidden Services. HOnion back end servers: Each honion corresponds to a process that is running locally. The server behind hidden services, should not be running on a public IP address, to avoid de-anonymization. We also log all the requests that are made to the server programs and the time of each visit. Recording the content of the requests allows us to investigate the snoopers’ behavior and intent. HOnions generation and deployment schedule: To keep the total number of honions small, we decided on three schedules for their generation and placement, daily, weekly, and monthly. The three schedules allow us to detect the malicious HSDirs who visit the honions shortly (less than 24 hours) after hosting them. Since the HSDirs for hidden services change periodically, more sophisticated snoopers may wait for a longer duration of time, so they can evade detection and frame other HSDirs. Identifying snooping HSDirs: Based on the visited hidden service, the time of the visit, and the HSDir that have been hosting the specific onion address prior to the visit, we can mark the potential malicious and misbehaving HSDirs. Then, we add the candidates to a bipartite graph, which consists of edges between HSDirs and the visited honions. The analysis of this graph allows us to infer a lower bound on the number of malicious HSDirs as well as specific snoopers. Figure 2 depicts the architecture of the system. HOnion Visit Graph Formation: In the following we first introduce a formal model and notation for the Honey Onions