A pair of researchers from Northwestern University are working on a framework to let users identify misbehaving Tor nodes.
In a brief paper presented to last week's Privacy Enhancing Technologies symposium in Germany, they suggest their proof-of-concept worked, turning up 110 snooping relays on Tor. Northwestern University's Amirali Sanatinia and Guevara Noubir made the discovery on a 72-day run of their toolkit starting in February.
The problem centres around hidden services, which are meant to protect users by keeping traffic on the Tor network. That protects users against attacks that match entry-node traffic to exit-node traffic, because there's no exit node.
However, as CloudFlare-supported research found last year, the Hidden Service Directory (HSDir) then becomes an attack vector.
That's what Sanatinia and Noubir went to work on in this brief paper. They describe “honey onions” (honions) that they reckon “expose when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts”.
So as not to skew Tor's hidden service statistics, the researchers deployed 1,500 of their honions in each batch run: this was enough to cover the roughly 3,000 HSDir nodes on Tor, without concentrating honion traffic too much.
Cutting to the statistics: of the 110 malicious HSDir nodes the researchers claim existed, more than 70 per cent were hosted on cloud infrastructure like Vultr, and 25 per cent of them are configured to act as both HSDir and Exit nodes (across all of Tor only 15 per cent of HSDirs are also Exit nodes); and the top five countries for malicious HSDirs were the USA, Germany, France, the UK and the Netherlands.
The Tor Project is aware of the HSDir problem; its various mailing lists contain a lot of discussion about ways to better protect hidden service users. ®