Researchers Discover Tor Nodes Spying on the Network


Researchers Discover Tor Nodes Spying on the Network

According to a series of tests, over 100 malicious Hidden Service Directories (HSDiers) — nodes in the Tor Network that act as introductory points — have been found snooping on the Tor Network.

Also read: Gibraltar Lands First European Bitcoin ETI

Discovering Malicious Tor Nodes

Researchers Amirali Sanatinia and Guevara Noubir first discovered the snooping services. A collection of their work will be presented next week at DEF CON, the world’s longest and  largest underground hacking conference.

Their paper, Honions: Towards Detection and Identification of Misbehaving Tor HSDirs,” describes their work in detail and provides a framework called “Honey onions” (Honions), which detects and identifies malicious HSDiers.

The two researchers ran a series of tests on their framework in separate daily, weekly and monthly trials. Through these trials they found that most of the malicious HSDiers were located in the United States, Germany, France, United Kingdom and The Netherlands.

The “Honions” exposed Tor relays with HSDier capabilities pretending to be hidden services, but were simply using their position to collect data about users.  

Tor Developers: Not Another Setback, Simply an Annoyance

TorAlthough this may seem like another blow to the anonymity network, Tor developers reject that idea outright. Representatives of Tor say that it is an “ongoing annoyance,” while others explain that it does not uncover the operator behind a hidden service, which has long been a law enforcement and intelligence agency goal. 

Tor Developer Sebastian Hahn says that they have been focusing on addressing the issue, but that a release date for a fix is still to be determined. Also, according to Hahn, the attacks simply show the existence of a hidden service and does not mean the identity of operator has been revealed “or anything catastrophic like that.”

Noubir says that, based on the information they have, the people running these nodes could be anyone from researchers studying the dark web to law enforcement investigating or trying to block dark web sites.

He goes on to say that it is hard to tell who is doing what, but from what they do know they can tell that there is some diversity in what they are doing. Some are attacking these hidden services, or in some way collecting information about them.

Hahn also goes on to explain further why he thinks the data that is exposed from the attacks are trivial.

“Just like the address of your house is metadata,” Hahn says, “the address of a hidden service is the same, it is data that is only important to allow the Tor network to connect users with the hidden service, but not otherwise meaningful.”

The researchers said that most of the 40,000 visits they logged were automated and queried the root path of the server, but they did detect manual probing in about 20 percent of those requests.

What do you think of the discovery of the malicious Hidden Service Directories? Is it simply an annoyance or possibly something more damaging?

Source: Threatpost

Tags in this story
Network Security, Tor

Images courtesy of Fernando Alfonso III, The Tor Project.

Trevor Hill

Trevor is writer at and, he is a subscriber to the Austrian school of economics. He is also currently a freshmen at the University of Wisconsin - Fox Valley, with a selected major in economics.

Show comments