Last week’s takedown of Silk Road 2.0 wasn’t the only law enforcement strike on “darknet” illicit websites being concealed by the Tor Project’s network of anonymizing routers. A total of 410 .onion pages on at least 29 different sites, some of which sell everything from drugs to murder-for-hire assassins, were shut down as part of Operation Onymous—a joint operation between 16 member nations of Europol, the FBI, and US Immigration and Customs Enforcement.
While 17 arrests were made, some operators of sites taken down by the worldwide sweep remain at large. One of them—the co-operator of Doxbin, a site that allowed others to post personal identifying information frequently used for intimidation, identity theft, or other malicious purposes—has shared details of his site’s takedown with Tor developers in hopes they’ll find ways to protect other users of the network. An apparent distributed denial of service (DDoS) attack against Doxbin may have been used to uncover its actual location, and the same approach may have been used to expose other darknet servers seized by law enforcement.
Log files shared by the Doxbin proprietor, who calls himself nachash, suggest that sites may have been “decloaked” using Web requests intentionally crafted to break Tor’s Hidden Services Protocol. It’s also possible that his site was given up by bad PHP code. In a series of e-mails to the tor-dev list entitled “yes, hello, Internet supervillain here,” nachash said that his server—a virtual private server running the German hosting service Hetzner—was initially hit by what he believed was a denial of service attack in August.
The requests pushed the traffic for the service up to about 1.7 million page requests for August—nearly three times the normal traffic load for the site. A month later, the same pattern began again, and nachash said that he started redirecting those requests to another Tor hidden service site (the Hidden Wiki’s “Hard Candy” page, a directory of child pornography sites). “I also added a grip -v”—the “invert match” feature for the GNU grep command, which excludes a specific pattern from output—“to my log report script in order to filter out the noise,” nachash wrote. “[this was] possibly a mistake, but we both tailed logs and watched for something like a different attack style that the DDoS was being used to cover and never noticed anything.” Eventually the requests trailed off from a peak of five requests per second down to one every three to six seconds. Ultimately, the requests stopped entirely.
The theory posited by “the kid who started Doxbin“ to nachash was that the attack was an attempt to force connections to the site’s various .onion addresses to follow paths that went over Tor network nodes set up by law enforcement. By filling up the “circuits” through secure Tor network nodes, law enforcement operatives could have made it possible to connect to the services only through Tor routing servers they controlled—allowing them to see the real Internet Protocol address of the server hosting them.
Update: The operator of Doxbin sent an update on Sunday evening to Tor developers, saying that at least part of what he reported as a denial of service attack earlier was in fact someone crawling his website. However, the crawler was not involved in the malformed traffic sent later.
The indictment (PDF) is vague about how exactly the FBI got its hands on the supposedly hidden server Silk Road 2.0 was using. In fact the indictment made it sound easy, saying the FBI “identified the server located in a foreign country,” and that law enforcement went in and imaged it sometime around May 30, 2014.
Around that same time, two researchers from Carnegie Mellon, Alexander Volynkin and Michael McCord, were preparing for a presentation at hacker conference Black Hat about work they’d done to easily “break Tor.” They were vague about the details but promised that their work wasn’t just theoretical: “Looking for an IP address for a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild.” In a summary of the talk on the conference website, the researchers claimed that it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and that they would discuss examples of their own work identifying ”suspected child pornographers and drug dealers.”
In July, the talk was suddenly canceled. Tor revealed that a bunch of nodes in its network had been compromised for at least 6 months, and asked users to upgrade their Tor software to patch the vulnerability the attackers used:
On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.
If you control enough of the Tor network, it’s possible to get a kind of bird’s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn’t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it’s highly likely the information the researchers collected about “drug dealers and child pornographers” made its way into law enforcement hands. McCord said he was “unable to comment on the matter.” Carnegie Mellon’s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.
“I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,” says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research “circumstantial.” But he points out that the work the researchers did was expensive. A “back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,” says Weaver. That’s not the kind of money an academic can spend on a hobby project.
Another theory circulating on the Twitters is that Bitcoin over Tor can lead to deanonymization, with many linking to this research paper (PDF) published in October.
The sort of manipulation described by the authors is known as a ‘man-in-the-middle’ attack (MitM) and, if successful, could reveal a user’s IP address, which can be used to locate the user, and allow an attacker to ‘glue’, or correlate, the transactions performed by that user from different bitcoin addresses.
Pustogarov and Biryukov dreamed up the attack by focusing on a little-known aspect of the bitcoin protocol, its built-in protection against a denial of service attack (DoS). To protect themselves, bitcoin servers award points to clients that send them problematic transactions. When a client racks up 100 points, the server bans it for 24 hours.
In an earlier paper (PDF), also focused on anonymity risks on the bitcoin network, the authors described a way to exploit this DoS protection to prevent Tor from being used to connect to the bitcoin network.
They explained that, when a Tor user connects to the bitcoin network, his or her IP address is not revealed. Instead, the bitcoin server sees the address of the connected Tor ‘exit node’, a type of server. As a result, an attacker could send enough bad transactions over Tor to get all the exit nodes banned by the bitcoin network.
The authors build on that approach in their current paper. They say that a smart attacker could set up a number of bitcoin servers and Tor exit nodes before exploiting the DoS protection system to ban other Tor exit nodes from the bitcoin network.
When a victim uses Tor to connect to the bitcoin network, he will be left with only the attacker’s bitcoin servers to connect to, since he has been banned by all other servers. The attacker is now in control of all the information relayed to the user.