Honey Onions: Exposing Snooping Tor HSDir Relays

GuevaraNoubir &Amirali Sanatinia{noubir,amirali}@ccs.neu.edu

NortheasternUniversity

1

Motivations

• Previousresearchstudiedthemaliciousnessoftherelays• KnownbadExitnodes• Otherworklookedatthenatureofhiddenservicescontent• NopriorworkontheHiddenServiceDirectories(HSDirs)• IndexinghiddenservicesrequiresmodificationtoTor,whichcanbeanindicatorofsomeeffortandpotentiallymoremaliciousactivities

2

Tor & Hidden Services

• Awidelyusedpracticalanonymityinfrastructure• Providesanonymityforboththeclientsandtheserverthroughhiddenservices• Dependsonthehonestbehaviorofthevolunteeringrelays• Itisknownthatsomerelaysaremisbehaving(BadExitnodes)• SomeExitnodesactivelytrytoperformManintheMiddleAttack(MITM)• NotmuchisknownabouttheHSDirs orHiddenServicesingeneral

3

Hidden Service Directories (HSDir)

Client

Hidden Service

IP

RP

HSDir

(1)

(2)(3)

(4)

(5)

(6)

(7)

4

Ring of Responsible HSDirs

5

Honey Onions (HOnions)

• EachHOnion correspondstoaserver/process• RunonlocalIPaddress(HiddenService)• AccessibleonlythroughTorandnotsharedanywhere• Threeschedules• Daily• Weekly• Monthly

• Logtherequestsforfurtherinvestigation

6

HOnions Architecture

1. Generate honions

hoi

hoj

2. Place honions on HSDirs3. Build bipartite graph

On visit, mark potential HSDirs

hoj

di

di+2

di+1

di

di+1

di+2

On visit, add to bipartite graph

7

Set Cover Problem

• !"# = &': )*++,-./0123ℎ!"#2+5-.6

• !7 = ℎ*8:!792*93ℎ.31.0:2023,&

• ; = !"# ∪ !7

• = = ℎ*8, &8 ∈ !7×!"# ℎ*81.0A-.Bedon&'andwasvisited}

• ": ∀ ℎ*8, &' ∈ =, ∃&′' ∈ " ∧ ℎ*8, &′' ∈ =R⊆TRUVWXY'Z

• ThesetcoverisanNP-completeproblem• Canbecalculatedusingapproximationalgorithms• SetcovergivesthelowerboundonthenumberofsnoopingHSDirs

8

Heuristic Approach

• Input:G(V,E): Bipartitie graphofHOnions toHSDirs• Output:S:Setexplainingvisits

• " ⟵ ∅

• while; ∩ !7 ≠ ∅_o• Pick& ∈ ; ∩ !"#: 123ℎℎ26ℎ,03 degree• ; ← ;\ &.9&230!792*99,26ℎb*+0

• end

9

Integer Linear Programming (ILP)

• min (ef, … , eTRU)∑ e8|TRU|8jf

subjectto∀ℎ*' ∈ !7 ∑ e8 ≥ 1�∀8: nop,qr ∈s

• ProvidesalowerboundonthenumberofsnoopingHSDirs toexplainthevisits

10

Connectivity Graph

11

Snooping Behavior

• Widevarietyofbehavior• Automatedvsmanualprobing• Aggressive,periodicprobing• Attemptstofindvulnerabilities• SQLInjection• XSS• Pathtraversal• PHPEasterEggs• TargetingDrupalandRubyonRails

12

Snoopers’ Most Likely Geolocation

13

Snoopers’ Identity

• Hardtoidentifytherealentitybehindtherelays• MorethanhalfoftheHSDirs arehostedoncloudplatform• Thegeolocationscorrespondtothelocationofthehostingplatformandnotnecessarilytheentityrunningthem• Numberofcloudplatformsarelocatedincountrieswithstrongerprivacyprotectionforcostumers• Somecloudplatformacceptpaymentsoverbitcoin,makingitevenhardertoidentifytherealactors

14

Conclusion

• HoneyOnions(HOnions)isaframeworktodetectsnoopingHSDirs• Providesalowerboundonsuchrelays• Torreliesonthehonestbehaviorofthevolunteeringrelays• Thedetection,identificationandmitigationofmisbehavingrelayshelpstoimprovetheprivacyandsecurityofTor• ThisworkisanadditiontothepreviousbodyofworkfocusingondetectionofmisbehavingTorrelays

15