Please create an account to participate in the Slashdot moderation system


Forgot your password?
Privacy Government The Internet

Tor Project Mulls How Feds Took Down Hidden Websites 135 writes: Jeremy Kirk writes at PC World that in the aftermath of U.S. and European law enforcement shutting down more than 400 websites (including Silk Road 2.0) which used technology that hides their true IP addresses, Tor users are asking: How did they locate the hidden services? "The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security," writes Andrew Lewman, the Tor project's executive director. For example, there are reports of one of the websites being infiltrated by undercover agents and one affidavit states various operational security errors." Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem says Lewman adding that there are also ways to link transactions and deanonymize Bitcoin clients even if they use Tor. "Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks."

However the number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks (PDF), but these defenses do not solve all known issues and there may even be attacks unknown to us." Another possible Tor attack vector could be the Guard Discovery attack. The guard node is the only node in the whole network that knows the actual IP address of the hidden service so if the attacker manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. "We've been discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated."

According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. "In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries."
This discussion has been archived. No new comments can be posted.

Tor Project Mulls How Feds Took Down Hidden Websites

Comments Filter:
  • DDOS + Poison Pill (Score:3, Interesting)

    by Anonymous Coward on Monday November 10, 2014 @11:23PM (#48356607)

    If you DDOS a site using TOR it'll saturate all possible exit nodes.
    Inevitably one of these exit nodes will be owned by the feds.

    • by The MAZZTer ( 911996 ) <> on Tuesday November 11, 2014 @12:02AM (#48356779) Homepage
      As I understand it, Tor hidden services are not accessed via exit nodes. Exit nodes are not needed as the destination can speak Tor.
      • by Z00L00K ( 682162 )

        In which case it may mean that what happened is that the authorities did set up at Tor node, then tagged the packets and sniffed them on their way to the destination.

        Essentially - any system where the intruder have access to the majority of the network is vulnerable, no matter if the information is encrypted or not. The conclusion is that if you are going to run questionable stuff, then you need to put a server in a country where the legal system is corrupt and you pay them to look the other way. If your bu

        • by ron_ivi ( 607351 )

          tagged the packets

          And in case someone thinks that's the hard part, note that tagging the packets is pretty easy. Just send a pattern of large-packet,small-packet,large-packet,small-packet .... ; and look for that pattern.

          Just spam the .onion site with tons of that traffic, and look on the relay nodes you control for whichever machine they're sending the most of that pattern.

      • by AHuxley ( 892839 )
        The destination is material that can be presented in open court. Nothing from the NSA, GCHQ.
        For that many nations need to be able to work together and watch networks as they react to changes in networking.
        Not too hard on federal budgets and with international cooperation.
        The real interesting aspect was how to make Tor the destination.
        Years of raids where all users with normal provider accounts, credit card for international VPN use, proxy users all got found. But one networks users seemed to alway
      • Follow the packets. You send a packet to a hidden service and follow it home. If you can monitor all traffic going into and out of a tor node you can figure out which one is yours and follow it to the next node. Repeat process until you have the server. The only way to stop this attack is to have data channels between nodes that are saturated with doubly encrypted data such that it's impossible to tell what data is yours.
        • by allo ( 1728082 )

          It is triple encrypted. destination-middlende-entrynode. Each node removes one layer of the onion.

    • by gweihir ( 88907 )

      And that is relevant how?
      1. That exit node will still not know where the DDoS came from
      2. This has absolutely nothing to do with hidden services, as they do not use exit-nodes.

  • Would changing Tor to use exclusively IPv6 help at any level? Does IPv6 provide any benefits here, other than being 128-bit addresses?

    • IPv6 rarely uses NAT, so it's almost like using a serial number on your machine's address. So, no, no help.

      • by gweihir ( 88907 )

        I predict that we will see a lot of NAT with IPv6, just because ISPs want to make static IP addresses more expensive. You are correct however, that in any sane set-up it is very rare and generally not needed.

        • I predict that we will see a lot of NAT with IPv6, just because ISPs want to make static IP addresses more expensive. You are correct however, that in any sane set-up it is very rare and generally not needed.

          This makes no sense. One of the selling points of IPv6 is there is so much address space, not only can every single human being have their own address.. every device they own, including their car, their 20 phones and 50 computers and 2 fridges and microwave oven can all have their own address too.

          • by gweihir ( 88907 )

            I completely agree from a technical POV. The thing is that ISPs will want some extra cash for static IP addresses, and as dynamic IPs do not really work for IPv6, they will force NAT on users to prevent them from running servers without paying extra.

            • by mcfedr ( 1081629 )
              You could easily right, its something that we will have to fight for when the time comes.
            • So ... if I cared enough, AND I had any ISPs who did IPv6 (I'm not aware that there are any in this country, but I haven't looked), then before signing on the line, I ensure that I get a contiguous block of 128 or 256 or 1024 IPv6 addresses, to use as I like. Essentially, demand a class C or class B address (equivalent) from your ISP?
              • by gweihir ( 88907 )

                Basically yes. Although the IETF recommendation is to give blocks of 65535 IPs to end-users, if I remember correctly. You can still do your own NAT on IPv6 though (at least on Linux as router), and a single, static IPv6 address would be enough to run your own server without any need for dynamic DNS.

            • by Agripa ( 139780 )

              I will not bet that you are wrong but IPv6 requires allocations of /64 or larger for automatic configuration to work.

              As far as security and privacy, the lack of NAT will help with encrypted connections and large endpoint address space allows randomization of IPs and prevents brute force searches.

          • by TheCarp ( 96830 )

            In terms of talking about the scale of the address space, there are approximately 1 mole of IPv6 addresses per square meter of the planet earth.

   makes perfect sense, GP said why it makes sense " just because ISPs want to make static IP addresses more expensive."... because they can and people will still pay them. I agree its sad and counterproductive, but, it still seems likely.

            • by allo ( 1728082 )

              it will be dynamic ipv6. I already have it with my (german) isp. I get a /56, the router provides an option (default: on) to firewall the clients and define exceptions (ip or ip:port based) for clients with a specific MAC (which means it works with PE, too).

    • by gweihir ( 88907 )

      No. And if you do it wrong, it creates a problem, as IPv6 may leak hardware MAC addresses.

      • by Agripa ( 139780 )

        Automatic configuration normally uses the Ethernet MAC address to form the IP address but IPv6 also allows the address to be generated randomly.

  • by Anonymous Coward

    They say in bold that low latency services are specifically difficult to hide and they don't know how to go about it, but why would anyone be using TOR for low latency applications? Is that important for transactional security somehow?

  • by mveloso ( 325617 ) on Monday November 10, 2014 @11:30PM (#48356651)

    I wonder if they're doing their tracking by just sending traffic the servers in question from multiple places and with control over a few exit nodes. They'd basically be sending seismic waves through Tor and timing the responses. After a while and with enough exit nodes you could start figuring out where the other nodes are. With enough traffic analysis from ISPs or whatever you could find out where the TOR nodes actually are. At that point it becomes easier to figure out physically where they are.

    This is theoretical, but it would be fun to try.

    • by Anonymous Coward

      There was a good example of a divide and conquer algo too.

      DDOS half the US internet for 0.5 seconds. Site go down? that half. No? Other half. Repeat.

      Realistically it's only 2^23 times to get every person in the US. 23 shots. Hell they could start with the bigger ISPs and ask nicely and do it faster.

    • by DaJoky ( 782414 )
      Exit nodes? On internal onion addresses? I'm not sure it's the kind of attack here. Maybe they can inject massive amount of data during inactive hours, and inspect backbones / big data centre traffic (and not "exit nodes") accordingly... But that'd be a long shot IMHO.
      • by Okian Warrior ( 537106 ) on Tuesday November 11, 2014 @12:56AM (#48357013) Homepage Journal

        As I understand the Tor process, every tine I fire up Tor it randomly chooses an exit node(*).

        Suppose I am running some exit nodes (as the NSA is suspected of doing). If I want to find the location of a hidden service I just fire up Tor and access an onion website with a specific tempo. If one of my exit nodes shows traffic with that tempo, then I know that's the exit node for this onion connection and I can trace the exit connection(**).

        If you access the site many times, eventually the statistical nature of the tempo (in your own exit node) will be apparent among the random noise of other traffic. If you do the process many times, eventually you'll find a strong statistical evidence for the target IP address.

        How many Tor exit nodes does the FBI run? How much time can they put into discovering each site? Can tempo-based access be automated?

        See here [] for more info. From a paper published in 2011 [] comes the quote:

        In this thesis we tested three correlation algorithms. [...] We found that while the two previously-existing algorithms we tested both have problems that prevent them being used in certain cases, our algorithm works reliably on all types of data.

        This would be my guess.

        (*) For the onion protocol it's listed as a rendezvous point [] and there's some protocol negotiation, but it's essentially an exit node.

        (**) Actually it's even simpler. Tor reports the IP address of your exit node - just keep starting Tor until the exit node is a system you control.

        • by AmiMoJo ( 196126 ) *

          .onion sites don't use exit notes, they connect directly to the Tor network.

          • by Anonymous Coward

            s/exit node/guard node/g and all of Okian Warrior's post still applies.

  • by Rinikusu ( 28164 ) on Monday November 10, 2014 @11:35PM (#48356663)

    Seems like a lot of these .onion sites are hosted on hosting sites that accept bitcoin. Well, how many of those are around? Kinda easy to whittle down after you get that list.

    • by gweihir ( 88907 ) on Tuesday November 11, 2014 @02:19AM (#48357287)

      Just my take. Also note that they carefully avoid saying that the 400 they took down are all criminal ones. I think they took down exactly one .onion hoster and that is it. In the typical dishonesty of law-enforcement these days, they are trying to make the threat seem as large as possible.

  • anyone who has done IT or t-Comm work knows how they did this...

    if you're not a CCNA, then this analogy may help:

    your data in transmission is like a swimming pool

    if you want to keep people out, you can fence it, protect it, lock it down any number of ways...

    but as long as you can use it, others can gain access as well...

    • by Charliemopps ( 1157495 ) on Tuesday November 11, 2014 @12:14AM (#48356845)

      You have no idea how Tor works.
      Youtube is your friend.

      You'd need a hell of a lot more than the entry level cisco cert to figure out a way to break it.


      • i'm not saying anyone with a CCNA can hack Tor

        i'm saying that anything that exists that can be transmitted and decoded can also be accessed by a third party

        if it exists, it's not "secure"

        maybe my analogy is awkward, but it's valid and accurate

        • "i'm saying that anything that exists that can be transmitted and decoded can also be accessed by a third party"
          That's not entirely true. []
        • i'm not saying anyone with a CCNA can hack Tor

          i'm saying that anything that exists that can be transmitted and decoded can also be accessed by a third party

          if it exists, it's not "secure"

          maybe my analogy is awkward, but it's valid and accurate

          Sort of a "Analog Hole" analogy.

          A digital hole?

        • With respect to "decoded", you're wrong. If you're sitting in the middle, between Alice and Bob, you can't necessarily figure out what Alice is saying to Bob.

          They could be using a one-time pad. This can be awkward, but it can be done. In that case, there is no theoretical way for you to read the message.

          Even if they're using conventional cryptography, you can't currently read their messages. (Modern crypto has keys sufficiently long that keys cannot be brute-forced before the Sun burns out, and ther

          • alice/bob = if Bob can figure it out, then you can...theoretically...the same way Bob does. I don't think this is an earth-shattering claim.

            one-time pad = if and only if you destroy the key sheet...from the wiki: "Both Alice and Bob destroy the key sheet immediately after use, thus preventing reuse and an attack against the cipher."

            Bob/Alice as way to intercept the message is to stand next to Bob with a gun to his head...if you get my this is absolutely not any proof that all cryp

    • Err wtf. That analogy doesn't work at all.

      It is a swimming pool that everyone can swim in, but they don't know the physical location of the pool because they get there by a bus which takes a random route and they have black bags over their heads.

      • i know my analogy sucked, but the principle is important

        if you can access it, it's not secure

        that's all i'm really getting at...which is still not that insightful...but someone else called me a phony below and it kidna hurt my feelings

      • The bus driver knows how they get there.....
    • by gweihir ( 88907 )

      That is utter BS. You should look up the "Dunning-Kruger Effect" sometime. You are on the left end of the curve.

      • i said this in another comment:

        i'm not saying anyone with a CCNA can hack Tor

        i'm saying that anything that exists that can be transmitted and decoded can also be accessed by a third party

        if it exists, it's not "secure"

        maybe my analogy is awkward, but it's valid and accurate

        what i'm really trying to say is, if you can access it, so can someone else

  • by Anonymous Coward

    According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly.

    You can make it harder by using heterogeneous networks in series. For example, you can run a private encrypted digital network (not necessarily IPv4-based) over a modem and an international phone call. Keep that "link" filled with white noise or throwaway data when it's not being fully utilized for your communications channel. Stick that link between your "real" server and the box that is acting as the TOR hidden server. Even better, don't: Instead, have the "hidden server" talk to a proxy over the mod

  • Ya think?

    Tor will never work over the corporate wire. That is as absolute as the speed of light or any other natural law. Unregistered use of encryption will simply be blocked. Only with this in mind can any method of possibly successful circumvention emerge.

  • It is also possible that after the identified Dread Pirate Roberts of Silk Road 1.0 they traced a connection from him to the Silk Road 2.0 DPR says that only he knew the identity... but when did he set it up how often did they communicate and did he leave any trace?

    I never believed the story of how DPR was originally identified. It is standard practice for intelligence agencies and sometimes police to hide their sources through parallel construction. They really find something out one way- then, after th
  • Tor was written by the federal government. Enough said.

    • by gweihir ( 88907 )

      No, it was not. Get your facts straight.

  • Come on over to I2P (Score:4, Informative)

    by Burz ( 138833 ) on Tuesday November 11, 2014 @01:47AM (#48357189) Homepage Journal

    There are no privileged routers (or 'guard' nodes) on I2P, and from the perspective of "relays" I2P has many times the number Tor has.

    Its way better than Tor when you're looking mainly to communicate with other anon sites/users. Comes with bittorrent and an option for decentralized (serverless) securemail.

    • by Anonymous Coward

      Judging by the file names on iMule when I decided to look into it, it *LITERALLY IS* all CP in the search results, even for mundane keywords like 'anime' and 'japanese'. I imagine it is full of either really stupid CP sharers or government honeypots, so consider yourself warned.

      That said, I2P tends to be more finicky to access sites over. The default (but reconfigurable) route settings are basically the same as Tor (3 hop, no variation.) There is a recommendation to leave a torrent, any torrent, running whi

  • If you have so much resources as government of USA, what's the problem to get for example 500 servers in different places around the world with lets say 1 gigabit each. I assure you that they would know everything while standing in front and at the exit, sometimes even whole road. Tor client is picking those servers with best throughput first logically, it's not really random. Maybe even they already did that, maybe NSA and they are feeding public with exploit version. I would do that if i were them...
  • by burni2 ( 1643061 ) on Tuesday November 11, 2014 @03:50AM (#48357549)

    That's actually a major problem, all data is transported via government visible networks.

    How would I do it ?
    As a LEO I would try to get warrants for a full take loging of all entry guards/relays(unknowing facilitators) that were in between my request and the site and those that are under my jurisdiction. (now I know with which computers the tor-relay/entry guard communicates) I would obtain full take / warrants for those / and another round .. bingo

    now I can do traffic confirmation attacks, download the same data-size again and again and again, and perhaps uploading same data of specfic size again and again and again.

    Due to the full takes I will be able to correlate what path my data took, over all three levels. There will be misses, as not all traffic will go through the U.S. & UK
    but at a certain point in time there will be enough ip-data, where I can identify a location and a person.

    And then I need to do parallel construction (infiltration) as I now know who the person is I can generate a personality profile and figure out the best way to come in contact with the operator.

    • by burni2 ( 1643061 )

      before somebody calls it: bullshit or so ..

      - look at the map where most tor relays/entry guards are situated

      - .. think about it that the network traffic consists basic traffic and a wandering component (it follows daylight) .. so I can steer when to do the correlation and
      when it's the best time to look for an anomaly.

  • by sirwired ( 27582 ) on Tuesday November 11, 2014 @05:17AM (#48357779)

    It's a common fallacy to assume that you, on the side of Right and Truth, are clever and intelligent while The Other Guys (standing for all that is Wrong and False) are a bunch of bumbling idiots.

    That's a really easy way to get surprised and metaphorically spanked, in any context.

    Of COURSE the feds have been working on ways to de-anonymize Tor! What did you expect them to do? Go "Oh Golly-Gosh-Darn! A bunch of people have figured out a way to do things we don't like in a way that's difficult to track. I guess I'll simply sit around and eat donuts all day and wait for my dept. to get cut when it's noticed at the next budget hearing that my electronic surveillance dept. isn't actually surveilling anything!"

    Just like people within Tor do work to plug de-anonymizing holes, people that would like to de-anonymize Tor do work to find the loopholes first. Shocker.

  • Tor anonymous services sound quite similar to Freenet [], but the latter is built for this from the bottom up rather than having it added on later. In Freenet, files are stored as encrypted blocks distributed across all freenet nodes, and files are retrieved by hashes. I don't think there's anything like gatekeeper nodes here - the only nodes that know that they host a given block is that node itself (and even it doesn't know what that block contains). Since blocks are stored redundantly, both storage and dist

    • Tor anonymous services sound quite similar to Freenet, but the latter is built for this from the bottom up rather than having it added on later.

      Freenet has three big weaknesses compared to Tor:

      1) High latency. While you can "browse" it, via fproxy that comes enabled with standard distribution, it can take minutes for a page to even begin loading.

      2) Insecurity. Freenet doesn't establish connections between computers, it can only insert and retrieve files. Consequently, you can't build web services, but must

    • by allo ( 1728082 )

      freenet replaces oneclickhosters. building websites with freenet is PITA.
      tor replaces proxies. hosting websites is just the same as usual, but they are only reachable via the "tor-proxy".

  • I think I have read before (and it would seem to make logical sense) that if the Feds run more than 50% of the Tor nodes, they can start to reliably trace traffic? If this is the case, I have no doubt that the US gov't has the computing power. The "drug war" is very well funded.
    • Where do you think Tor came from? It was a government project designed to protect intelligence communications. The Feds know Tor inside and out because it was paid for by the federal government.

  • So, look at this through the eyes of the defender, in the context of breaches of other sites. Put aside ethics, right/wrong, law, etc.; what this comes down to is a security breach when viewed from the defender's perspective, right?

    Okay, so when you look at past breaches, what do you find...breakdowns in basic security. Sony wasn't patching, Home Depot wasn't watching their security monitoring, etc. While many vendors and researchers are trying to come up with novel security products and solutions to sol

  • Isn't this a great attack vector anyway? Impersonate the directory and show the clients only your nodes.

    @guards: does the guard know, its the guard of a hidden service? Maybe someone used tor nodes in the hope to become guard of the services, maybe renewed the node-ids often and then uncloaked them?

  • If I may be so bold to paraphrase Bruce Schneier, nothing says "Investigate Me" like using TOR.

In the realm of scientific observation, luck is granted only to those who are prepared. - Louis Pasteur