Honions service is being Used To Find over 100 Snooping TOR Nodes

The TOR network keeps on facing multiple security threats and attacks over time despite its layered security measures. Techniques like ‘honey potting’ and ‘traffic fingerprinting’ are being used extensively by governments and hackers to trace the actual IP addresses of users.

tor honions

On discovering another rotten layer that the Onion Router has, researchers have singled out over 100 malicious nodes with which the hidden services in use by the Dark Web sites are probably being spied on.

This research was carried out by Amirali Sanatinia and Guevara Noubir, two Northwestern University researchers, who kept a close watch on the TOR network for 72 days and discovered multiple malicious TOR Hidden Services Directories (HSRDirs) on the network.

What are TOR Hidden Services Directories (HSRDirs)?

HSDirs are basically a type of TOR nodes that are the servers operating inside TOR itself. Traffic to these hidden services never leaves the TOR network in order to maintain anonymity and to achieve this purpose the exit node and hidden service are at the same place.

HSDirs are not aware of the location of a hidden service but they are useful while connecting a hidden server to the TOR users.In simpler words, the HSDir nodes are very important as they are a way to hide the true IP address of a user and talk to the rest of the TOR network.

So to simply put, the HSDir nodes are important because they are a way to hide the true IP address of any user and at the same time, exchange data with the rest of the TOR network.

What if HSDirs are compromised?

Well, it will allow hackers to sniff your traffic and stay anonymous by using TOR at the same time.

The researchers used 1,500 specially-crafted hidden services called “Honey Onions”, or Honions with which they measured up to 40,000 requests and found about 110 malicious HSDirs by using some smart calculations. Most of these nodes were located in France, Germany, UK, the Netherlands and the US.Elaborating these results further, the researchers write:

More than 70% of these HSDirs are hosted on Cloud infrastructure. Around 25% are exit nodes as compared to the average, 15% of all relays in 2016, that have both the HSDir and the Exit flags. This can be interesting for further investigation, since it is known that some Exit nodes are malicious and actively interfere with users’ traffic and perform active MITM attacks. Furthermore, 20% of the misbehaving HSDirs are, both exit nodes and are hosted on Cloud systems, hosted in Europe and Northern America.

It’s scary enough that comparing 110 nodes to the total 7,000 TOR nodes gives us 3% malicious TOR nodes.

TOR developers are aware of this issue and they working to identify and remove the harmful HSDir nodes. The TOR Project is also working on a new design that will stall attackers who target the users.

We hope you found this article helpful. Don’t forget to drop your feedback in the comments section below.

About The Author
Martins Okoi
Computer Science enthusiasts with a passion for learning new things. In my spare time, I listen to music, read like a compiler, and learn like an A.I algorithm.

Leave a Response