Security Experts:

Many Tor Relays Found Snooping on Dark Web Services

Researchers at Northeastern University have analyzed the Tor anonymity network and discovered that there are at least 110 nodes that spy on dark web services.

Experts have developed what they call honey onions, or HOnions, honeypots designed to identify misbehaving relays that have a hidden services directory (HSDir) flag. The privacy of Tor hidden services depends on the honest operation of these nodes, which provide the information needed by users to access .onion websites.

An analysis conducted between February 21 and April 24 using roughly 1,500 HOnions revealed that there are at least 110 snoopy nodes. These misbehaving relays were mostly located in the United States, Germany, France, UK and the Netherlands. According to the Tor Project, there are a total of more than 3,000 relays with the HSDir flag.

While in most cases these relays automatically queried the root path of the server, in some cases the honeypots detected what appeared to be manual probing. Researchers identified Apache- and search engine-related queries, and also attempts to find or exploit SQL injection, cross-site scripting (XSS), Drupal user enumeration, path traversal, Ruby on Rails and PHP vulnerabilities.

Some of the offending nodes were more sophisticated than others. Experts noticed that some of them visited the HOnions within 24 hours after hosting them, while others waited longer – most likely in an effort to evade detection or avoid raising suspicion.

Researchers also determined that more than 70 percent of the malicious relays are hosted in the cloud, including on infrastructure provided by companies that accept payment in Bitcoin, which makes it more difficult to detect the nodes and identify their operators.

Some of the snoopy hidden service directories are also exit nodes – these types of nodes have been known to be abused for malicious activities, including by APT actors. SecurityWeek has reached out to the Tor Project for comment on this research.

Recent events have shown that Tor is not 100 percent trustworthy. A team of university researchers funded by the U.S. government managed to help law enforcement deanonymize Tor users suspected of conducting criminal activities by adding more than 100 rogue relays to the anonymity network.

Several improvements have been made over the past period to anonymity protections, but an increasing number of people are losing their faith in Tor’s capabilities due to the recent incidents. MIT researchers announced earlier this month that they have created a new anonymity system, dubbed “Riffle,” that is claimed to provide not only stronger security, but also more efficient bandwidth usage.

Related: Tor Browser Gets Multiple Security Enhancements

Related: Tor, CloudFlare Spar Over Malicious Traffic

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.