Security News 110 Rogue Servers Found on Tor Network During 72-Day Experiment

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Two scientists from Northeastern University carried out an experiment on the Tor Network, introducing 1,500 honeypot servers that revealed at least 110 Tor HSDirs (Hidden Services Directories) are probing fellow Tor relays and even attempting to exploit security weaknesses.

The experiment, which took place between February 12, 2016, and April 24, 2016, was started to test the trustability factor of fellow Tor servers, and most especially, HSDirs, which is a more complex term for a Tor server hosting a (Dark Web) .onion website.

HOnion servers snooped on Tor traffic for 72 days
The researchers introduced honeypots, which also functioned as real-life Tor servers, called HOnions, running a framework for detecting abnormal Tor traffic.

The servers were introduced gradually into the network, in order to cover as much of the Tor traffic exchanged through the network.

After 72 days, the researchers gathered and analyzed all their data, and presented the study's results at the Privacy Enhancing Technologies Symposium, last Friday.

The two researchers, Professor Guevara Noubir and Ph.D. student Amirali Sanatinia, revealed they identified at least 110 HSDirs showing out of the ordinary behavior.

Some servers attempted SQL injection and XSS exploits
While most queried for data such as server root paths, description.json server files, and the Apache status page, there were some that exhibited downright malicious behavior.

[W]e detected other attack vectors, such as SQL injection, targeting the information_schema.tables, username enumeration in Drupal, cross-site scripting (XSS), path traversal (looking for boot.ini and /etc/passwd), targeting Ruby on Rails framework (rails/info/properties), and PHP Easter Eggs (?=PHP*-*-*-*-*).

Over 70 percent of these 110 misbehaving HSDirs were running on professional cloud infrastructures, showing an actor who invested into setting up the nodes, not your average Joe hacker setting up their home desktop as a Node server.

Some malicious servers were Tor exit nodes
Furthermore, 25 percent of the 110 HSDirs also functioned as exit nodes for Tor traffic, raising the alarm that they might be carrying out MitM attacks, and snooping on Tor traffic.

Attacks on the Tor network are nothing new for the Tor Project, who's been probed by both nation-state actors, official crime investigation agencies, academic researchers, and cyber-criminals alike.

Below is a map of the malicious Tor HSDirs discovered during the research. The full study is also available online under the title of HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs.
 

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
glad i no longer use tor!
Tor Network or Tor browser ?
In my opinion
Tor Browser to go on "normal" website is safe :) (Noscript and Https Everywhere activated)
The article talk about Hidden Services Directories.
"The research is only the latest indication that Tor can’t automatically guarantee the anonymity of hidden services or the people visiting them"
Even in this case : "There’s no evidence the malicious relays were able to identify the visitors of the hidden sites or monitor the plain-text traffic passing between them"
=> you can be worried only for illegal activities / browsing hidden website of the Tor Network
In my opinion
 
Last edited:

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Why not Firefox or similar with those extensions?
False ip, anonymity and privacy, for example, using a part of the Tor network advantage, and then surfing on all 'normal' websites.
(By normal websites, I don't mean "safe" websites :) but websites that everybody can access without the Tor Network)

Those extensions are by default on Tor Browser 6 (based on Firefox), but are not the only protection Tor Browser give you.

(No other extensions must be installed with this Browser otherwise it can harm your anonymity and privacy)
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top