In a period spanning 72 days, two researchers from Northeastern University have discovered at least 110 “misbehaving” and potentially malicious hidden services directories (HSDirs) on the Tor anonymity network.

What’s an HSDir?

An HSDir is a Tor node that receives descriptors for hidden services – servers configured to receive inbound connections only through Tor, meaning their IP address and network location remains hidden – and, upon request, directs users to those hidden services it “knows” about.

Anybody can set up a HSDir and start logging all hidden service descriptors published to their node.

What’s the problem?

“Tor’s security and anonymity is based on the assumption that the large majority of the its relays are honest and do not misbehave. Particularly the privacy of the hidden services is dependent on the honest operation of hidden services directories (HSDirs),” Professor Guevara Noubir and Ph.D. student Amirali Sanatinia explained.

“Bad” HSDirs can be used for a variety of attacks on hidden services: from DoS attacks to snooping on them.

What the researchers found

They set up honey onions (honions), a framework able to detect when a Tor node with HSDir capability has been modified to snoop into the hidden services that it currently hosts.

To cover all or almost all HSDirs on the network, they set up 1500 honions, which logged all requests received from the various HSDirs. By analyzing the nature of these requests and when they were made, they were capable of identifying potentially malicious HSDirs.

“Most of the visits were just querying the root path of the server and were automated. However, we identified less than 20 possible manual probing, because of a query for favicon.ico, the little icon that is shown in the browser, which the Tor browser requests. Some snoopers kept probing for more information even when we returned an empty page,” the researchers shared.

There was quite a diversity among the detected attack vectors: forced hidden services indexing, SQL injections, username enumeration, cross-site scripting, targeting of Ruby on Rails framework, etc.

It’s interesting to note (but should not have been unexpected) that of the 110+ malicious HSDir more than 70% were hosted on cloud infrastructure, which makes identifying their operators much more difficult.

“Around 25% are exit nodes as compared to the average, 15% of all relays in 2016, that have both the HSDir and the Exit flags. This can be interesting for further investigation, since it is known that some Exit nodes are malicious and actively interfere with users’ traffic and perform active MITM attacks,” they noted.

It is the responsibility of the Tor Project authority directories to identify and remove malicious HSDirs and, as Noubir told Ars Technica, they are working on it, but use a different methodology. The long-term solution, though, is a new design for hidden services, he noted.