HOnions:ExposingSnoopingTorHSDirsAmiraliSanatinia,NortheasternUniversityIn the last decade, Tor proved to be a very successful and widely popular system to protect users’anonymity.However,Torremainsapracticalsystemwithavarietyof limitations,someofwhichwereindeedexploitedintherecentpast.Tor’ssecurityreliesonthefactthatasubstantialnumberofitsnodesdo notmisbehave. In this work, we introduce, the concept of honey onions, a framework to detectmisbehavingTorrelayswithHSDircapability.Thisallowstoobtainlowerboundsonmisbehavioramongrelays.WeproposealgorithmstobothestimatethenumberofsnoopingHSDirsand identifythemostlikelysnoopers.Ourexperimentalresultsindicatethatduringtheperiodofthestudy(72days)atleast110suchnodesweresnoopinginformationabouthiddenservicestheyhost.Werevealthatmorethanhalf of themwere hosted on cloud infrastructure and delayed the use of the learned information topreventeasytraceback.Weintroducetheconceptofhoneyonions(honions)[1],toexposewhenaTorrelaywithHSDircapabilityhasbeenmodifiedtosnoopintothehiddenservicesthatitcurrentlyhosts.ToautomatetheprocessofgeneratinganddeployinghonionsinawaythattheycoverasignificantfractionofHSDirs,wedevelopedseveral tools.A key constraint in thisprocesswas tominimize thenumberofdeployedhonions. ThisderivesprimarilyfromourdesiretonotimpacttheTorstatisticsabouthiddenservices(particularlygiventherecentsurgeanomaly).ByconsideringthenumberofHSDirs(approximately3000),wecouldinferthatweneedtogeneratearound1500honionstocoverallHSDirswith0.95probability.Weused1500honionsperbatch(daily,weekly,ormonthly)andcouldverifythat95%oftheHSDirsweresystematicallycovered.Figure1,depictsthearchitectureofoursystem.

Figure1 Figure2

Intotal,wedetectedatleast110maliciousHSDirs,andabout40000visits.Morethan70%oftheseHSDirsarehostedonCloudinfrastructure.Around25%areexitnodesascomparedtotheaverage,15%ofallrelaysin2016,thathaveboththeHSDirandtheExitflags.Thiscanbeinterestingforfurtherinvestigation,sinceitisknownthatsomeExitnodesaremaliciousandactivelyinterferewithusers’trafficandperformactiveMITMattacks.Furthermore,20%ofthemisbehavingHSDirsare,bothexitnodesandarehostedonCloudsystems,hostedinEuropeandNorthernAmerica.Thetop5countriesare,USA,Germany,France,UK,andNetherlands.Figure2,depictsthegeolocationmapofidentifiedmaliciousHSDirs.Mostofthevisitswerejustqueryingtherootpathoftheserverandwereautomated.However,weidentifiedlessthan20possiblemanualprobing.Additionally,wedetectedotherattackvectors,suchasSQLinjection,usernameenumeration,crosssitescripting(XSS),andpathtraversal.

References[1]A.SanatiniaandG.Noubir, "HoneyOnions:aFramework forCharacterizingand IdentifyingMisbehavingTorHSDirs,"inIEEEConferenceonCommunicationsandNetworkSecurity(CNS),2016

1. Generate honions

hoi

hoj

2. Place honions on HSDirs3. Build bipartite graph

On visit, mark potential HSDirs

hoj

di

di+2

di+1

di

di+1

di+2

On visit, add to bipartite graph

• Tor  is  a  practical  privacy  infrastructure

• Tor’s  security  relies  on  the  honest  behavior  of  relays

• Tor  clearly  states  HSDirs should  not  snoop  on  onion  services

• The  behavior  of  HSDirs has  not  been  studied

• Question:  How  to  detect  the  snooping  HSDirs and  estimate  a  lower  bound  on  them?

• Malicious  HSDirs have  different  level  of  sophistication• More  than  100  snooping  HSDirs over  the  period  of  72  days• Logged  about  40000  visits  to  the  honions• Wide  range  of  probing,  SQL  injection,  XSS,  user  enumeration• Some  delay  visits  to  avoid  detection  as  a  tradeoff• More  than  half  of  the  malicious  relays  are  hosted  on  cloud• Some  cloud  providers  accept  bitcoins  as  payment• These  privacy  infrastructures  make  the  tracking

more  difficult

A  Sanatinia,  G  Noubir,  "Honey  Onions:  a  Framework  for  Characterizing  and

Identifying  Misbehaving  Tor  HSDirs”

IEEE  Conference  on  Communications  and  Network  Security  (CNS),  2016

Problem  Statement and  Goals

Approach

Results

HOnions:  Exposing  Snooping  Tor  HSDirsAmirali Sanatinia

Northeastern  University

1. Generate honions

hoi

hoj

2. Place honions on HSDirs3. Build bipartite graph

On visit, mark potential HSDirs

hoj

di

di+2

di+1

di

di+1

di+2

On visit, add to bipartite graph

Client

Hidden Service

IP

RP

HSDir

(1)

(2)(3)

(4)

(5)

(6)

(7)

• A  framework  to  detect  misbehaving  Tor  HSDir relays

• Each  honion is  a  server  program  that  logs  visits

• Three  schedules;  daily,  weekly,  monthly  (1500  per  batch)

• Generate  the  bipartite  graph  of  HSDirsand  visited  honions

• Identify  the  snooping  HSDirs using  the  set  cover  problem

• NP-­‐ Complete  problem,  Integer  Linear  Programming  (ILP)