Security researchers discover over 100 suspicious Tor nodes snooping on traffic

Hidden service directories on dark web could be up to no good
Hidden service directories on dark web could be up to no good

The trust placed in the anonymous Tor network was thrown into doubt again as security researchers claimed that over 100 nodes on the dark web could be snooping on traffic as it passes through.

Around 100 malicious relays was found by researchers at Northeastern University. The scientists tracked the errant machines using a honeypot .onion address they dubbed “honions”.

Last year, security researcher Chloe showed that some Tor exit nodes were sniffing traffic.

Northeastern University researchers tracked the traffic sent to honions and in doing so were able to identify hidden service directories (HSDirs) that were behaving in an unusual manner and were “potentially malicious”.

In a research paper, "HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs, to be presented at Defcon next week, the researchers said that Tor's security and anonymity is based on the assumption that the large majority of the its relays are honest and do not misbehave.

“Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs),” they said.

The honey pot onions were setup to detect when HSDirs were configured in a suspicious manner. There were separate daily, weekly and monthly trials running  between 12 February and 24 April. The researcher found 110 suspicious HSDirs, mainly in the US, UK, Germany, France and the Netherlands.

They found that 70 percent of the malicious HSDirs were hosted on cloud infrastructure and a quarter were also exit nodes. Some nodes hosted on the cloud are paid for in Bitcoins in order to prevent “the traceback and identification of misbehaving entities”.

“Based on our observations not all snooping HSDirs operate with the same level of sophistication. For example, some do not visit the hosted honions immediately to avoid detection by daily honions, our weekly and monthly honions can detect them,” they said.

The researchers said they believed that the behaviour of the snoopers can be modelled and studied in more detail.

Paul Ducklin, senior technologist at Sophos, told SCMagazineUK.com the research wasn't about how to snoop, or to avoid it – it was an attempt to measure the trustworthiness of the average Tor node.

“Note that this paper doesn't show how to reveal the browsing data of users of the service, or how to deanonymise visitors, so ‘honey onions' can't directly be used for snooping. It's merely a useful attempt to quantify the degree of dodginess inside Tor… which came out at about three percent of Hidden Service Directory nodes,” he said.

“For many people, that's probably fewer than they might expect, given the interest that both crooks and intelligence collectors have in Tor, but more than they'd like.”

Douglas Crawford online security expert at BestVPN told SC that the more non-exit nodes a single malicious entity controls, the easier it is (in theory) for that entity to pull off an end-to-end timing attack that could de-anonymise a Tor user.

“If an adversary controls both the first node connected to by user and the exit node used by that user, then it could correlate connection times and duration in order to identify that user.

“Given that there are thousands of Tor nodes (although relatively few exit nodes), and that Tor connections are randomly routed through at least three of these nodes every few minutes, an adversary would need to control a very large number of all nodes in existence for such an attack to have even a slight chance of success,” said Crawford.

“It is not entirely impossible, however, that a global power such as the NSA, Mossad, or even the mafia, could have the reach and resources required to pull this off.”