Tor Project on the hunt for how cops can ‘decloak’ dark net

The Tor Project hopes to discover exactly how law enforcement uncovered ‘dark net’ sites like Silk Road 2.0 that should have remained cloaked by The Onion Router (Tor) network.

After last week’s seizure of Silk Road 2.0 and dozens of other ‘hidden services’, the Tor Project — which maintains the software behind the Tor network — wants to know exactly how law enforcement were able to identify and locate web servers that should not have been visible.

The ‘dark web’ is made up of websites that rely on Tor and have a URL that ends in .onion, known as hidden services. While Tor helps users maintain their anonymity when navigating the internet by bouncing their IP address around a relay of servers, it affords operators of web servers the same protection, negotiating encrypted ‘meeting points’ between the site and end-user. Facebook recently launched its own onion address to support users that access the social network through Tor from nations ruled by oppressive governments.

The Tor Project on Sunday said it has no idea how law enforcement were able to identify the servers that were taken down last week as part of the European-US operation "Onymous". A spokesperson for the project "Phobos" said it was "not contacted directly or indirectly by Europol nor any other agency involved."

The update from the Tor Project follows two reports that emerged over the weekend from relay services that happened to be taken down at the same time as last week's dark net seizures. One of the reports comes from an operator of one of 27 seized hidden services who was not arrested, who said that law enforcement may have lused a distributed denial of service (DDoS) attack to reveal the server’s true IP address.

The Tor Project wants to find out how the seized hidden services were located and whether law enforcement exploited a weakness which could be used by criminals or governments.

While the project does not know how law enforcement identified the concerned servers, it offers several explanations as to how the feat may have been pulled off.

The first is that the Tor network itself was attacked. Assuming that Tor relays were seized as part of operation Onymous, it could mean law enforcement exploited unknown weaknesses in the network. The project points to one previous attack on Tor itself, thought to be carried out by US CERT (the jSoftware Engineering Institute at Carnegie Mellon University), that may have managed to uncloak some hidden services.

Another is an attack on the “guard node” of a hidden service, which could reveal a hidden service’s real IP address.

“The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service,” the Tor Project explained.

The DDoS attack however appears to be the most plausible explanation, since there are several documented techniques that can be used to achieve de-anonymise a hidden service.

“If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client,” the project warned.

A less likely possibility is that law enforcement remote exploited a bug in the Tor software itself.

Other possibilities include that an operator of a hidden service has introduced their own vulnerabilities through operational security blunders — such as the ones that allegedly led to the downfall of Silk Road 2.0, whose operator Blake Benthall used real name email addresses to manage the site’s hidden services.

Another is Bitcoin uncloaking. “Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks,” the project speculated.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags Enex TestLabFacebookddosTOR ProjectEuropollaw enforcementCSO Australiadirectors for CSO Australiaend-userSilk Road 2.0US CERThidden servicesThe Onion Router (Tor)PhobosOnymousdecloakBlake Benthall.onionjSoftware

Show Comments