Thoughts and Concerns about Operation Onymous

What happened

Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you. Unfortunately, we have very little information about how this was accomplished, but we do have some thoughts which we want to share.

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

How did they locate the hidden services?

So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."

Unfortunately, the authorities did not specify how they managed to locate the hidden services. Here are some plausible scenarios:

Operational Security

The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security. For example, there are reports of one of the websites being infiltrated by undercover agents and the affidavit states various operational security errors.

SQL injections

Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.

Bitcoin deanonymization

Ivan Pustogarov et al. have recently been conducting interesting research on Bitcoin anonymity.

Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks.

Attacks on the Tor network

The number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. We received some interesting information from an operator of a now-seized hidden service which may indicate this, as well. Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us.

For example, some months ago, someone was launching non-targetted deanonymization attacks on the live Tor network. People suspect that those attacks were carried out by CERT researchers. While the bug was fixed and the fix quickly deployed in the network, it's possible that as part of their attack, they managed to deanonymize some of those hidden services.

Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn't reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service. The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. We've been
discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated.

*Similarly, there exists the attack where the hidden service selects the attacker's relay as its guard node. This may happen randomly or this could occur if the hidden service selects another relay as its guard and the attacker renders that node unusable, by a denial of service attack or similar. The hidden service will then be forced to select a new guard. Eventually, the hidden service will select the attacker.

Furthermore, denial of service attacks on relays or clients in the Tor network can often be leveraged into full de-anonymization attacks. These techniques go back many years, in research such as "From a Trickle to a Flood", "Denial of Service or Denial of Security?", "Why I'm not an Entropist", and even the more recent Bitcoin attacks above. In the Hidden Service protocol there are more vectors for DoS attacks, such as the set of HSDirs and the Introduction Points of a Hidden Service.

Finally, remote code execution exploits against Tor software are also always a possibility, but we have zero evidence that such exploits exist. Although the Tor source code gets continuously reviewed by our security-minded developers and community members, we would like more focused auditing by experienced bug hunters. Public-interest initiatives like Project Zero could help out a lot here. Funding to launch a bug bounty program of our own could also bring real benefit to our codebase. If you can help, please get in touch.

Advice to concerned hidden service operators

As you can see, we still don't know what happened, and it's hard to give concrete suggestions blindly.

If you are a concerned hidden service operator, we suggest you read the cited resources to get a better understanding of the security that hidden services can offer and of the limitations of the current system. When it comes to anonymity, it's clear that the tighter your threat model is, the more informed you need to be about the technologies you use.

If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client.

*Another possible suggestion we can provide is manually selecting the guard node of a hidden service. By configuring the EntryNodes option in Tor's configuration file you can select a relay in the Tor network you trust. Keep in mind, however, that a determined attacker will still be able to determine this relay is your guard and all other attacks still apply.

Final words

The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved.

In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.

It would be great if there were more people reviewing our designs and code. For example, we would really appreciate feedback on the upcoming hidden service revamp or help with the research on guard discovery attacks (see links above).

Also, it's important to note that Tor currently doesn't have funding for improving the security of hidden services. If you are interested in funding hidden services research and development, please get in touch with us. We hope to find time to organize a crowdfunding campaign to acquire independent and focused hidden service funding.

Finally, if you are a relay operator and your server was recently compromised or you lost control of it, please let us know by sending an email to bad-relays@lists.torproject.org.

Thanks to Griffin, Matt, Adam, Roger, David, George, Karen, and Jake for contributions to this post.

Updates:
* Added information about guard node DoS and EntryNodes option - 2014/11/09 18:16 UTC

A

November 09, 2014

Permalink

Nice post but you didn't ask hidden service operators to look at their logs or contact you about something suspicious. That could help you narrow it down. Many more operations are on going most likes.

More speculation, but now that relays are being seized, its looking more and more likely to be a guard discovery attack followed by a seizure and log search to find the HS. I hope the guy in eastern europe encrypted his node.

it has been posted here many time there is zero use full data on an exit node, taking them is pointless,unless they took them to hide the fact that they had dirty software on them

A

November 09, 2014

Permalink

I want to know what distro was on these boxes myself, please do post that info. I would make a guess but i dont want flame wars

It is sure that there was neither OpenBSD nor FreeBSD.
Also, any GNU/Linux distro is the same GNU/Linux distro. Same kernel, same programs, same bugs, same GNU/Linux shit.

A

November 09, 2014

Permalink

they may have grabbed a bunch of servers because facebook created the hidden service and they dont want that idea catching on, this is how they operate, personally I would like to see someone that can confirm people were arrested, the user certainly wasnt as he is able to post on the internet,

he meant it about timing the revelation and arrests, not that deanonymization was done after facebook revealed its hs. he makes a pretty good argument and i definitely second him.

Um, I take it you are already wearing your little tinfoil hat? Facebook had NOTHING to do with this. Laughable thought, or maybe just stupidity on your part. Not sure which.

Anyone who doesn't suspect fowl place from the government due to the close proximity, is the one idealistic and prone to tine foil hat wearing.

The poster did not say Facebook had anything to do with this.
The poster suggested that the timing was used to scare users from using Tor so that other services would not follow Facebook's example and open hidden services aswell.

The Feds had some discretion of when to pull the trigger... they may have reacted to Facebook's timing. Senator Schumer said we're coming after dark markets, and Facebook normalizes things just by choosing them. 400 sites is bigger than anyone expected. Because of the takedowns, prospective users may continue to think twice before venturing onto hidden services, rather than assuming it's all clear just because Facebook's there.

A

November 09, 2014

Permalink

more DoS de-anonymization research:

A

November 09, 2014

Permalink

i have noticed watching vidalia the past few days that my first hop keeps changing insanely, like every few minutes, this has made TOR really slow, it appears someone can attack the first hop, like the great firewall of china disconnect,oddly the middle and exit are not changing wihile this insanity is happening

More details? Tor version, operating system, which bundle, etc?

Changing the first hop while keeping the second and third hop static is not something that Tor does, or something that a network or relay adversary should be able to induce. Are you sure you really have Tor?

Is it true that NSA etc. surely can _force_ every tor user to connect to there own entry guard. Just reset current connection till client select nsa guard. For some time tor client uses just one entry guard.

"Is it true that NSA etc. surely can _force_ every tor user to connect to there own entry guard."

I don't know, is it?

Are you asking us or telling us?

Tor Project has not even attempted to hide that information, which your representation of is off anyway. It's actually funded largely by the government, but not the CIA or NSA or FBI. But they are transparent about it and have been since the beginning. The code behind everything is 100% free and open source and is actively reviewed.

Not saying it's *impossible* for there to be a surreptitiously implanted backddor somewhere in the code, just unlikely given its effectiveness against nation state adversaries in the past. It's also important to note the difference in strength of anonymity between Tor proper and the hidden services protocol. HS need love. Tor proper is much more actively developed, tested and reviewed overall. So HS operators are currently at a disproportionate risk to Tor users overall.

Perhaps if Newton had been a representative of the British government and had claimed that gravity could somehow help one in hiding from that entity, then your analogy might make sense.

Newton was the Astronomer Royal, lord overseer of the mint, president of the Royal Society, held the Lucasian Chair in Mathematics at Cambridge, and was a minister (maybe even a bishop, I can't remember) in the Church of England. All of these were (at least technically) appointed by the king. In so far as Isaac Newton ever had a "job", that job was representing the British government. Try again.

Your analogy fails.

Does anybody claim (whether explicitly or implicitly) that the U.S. highway system (or any part thereof) can provide /any/ degree or kind of anonymity or obscurity against /anyone/, much less Uncle Sam (the U.S. government)?

Well the 4th amendment does decree protection of personal privacy, and every citizen's right to be free from unreasonable government intrusion into their persons, homes, businesses, and property. This expectation of privacy extends to vehicles by way of stop.

What about the fact that everyone involved in developing the Internet was the U.S. government. Most major new technology use innovations have come via the millitary / government. Remember the use of airplanes in WWI ? The technologies then expand beyond the sole domain of the government. So your point is ...... ?

"Most major new technology use innovations have come via the military / government."

You are likely correct about that and even if not /most/ then it is still certainly at least /many/ innovations and developments that the government and military sector can be credited with. This taxpayer-funded technology is then appropriated by private corporations, for their own profit, largely at the expense of and to the detriment of the very public that, through their funding, enabled such technology in the first place.

A

November 09, 2014

Permalink

My speculation about what happened follows. The attacker floods a particular hidden service with random/innocent GET requests at a chosen time. The network links are monitored for that flood pattern. Then the suspected servers are unplugged briefly, and the attacker checks which HS goes down at the exact same time. Now the search for evidence actual begins. It is a very simple and effective attack, particularly against low-traffic servers.

Right -- this attack will work, but only if you are already in position to monitor the hidden service's network connection. If you can do that, it's easy to *confirm* that it's the hidden service in question.

But if you don't already know where to look, it's hard to do this sort of confirmation attack.

It doesn't have to be global -- it just has to be big enough to include watching your network connection.

It seems clear from recent documents that there is indeed a pervasive passive adversary (whether it's "global" in the academic literature sense doesn't matter much here). On the other hand, maybe the NSA and GCHQ don't want to share with other orgs. I don't think the FBI by itself is a pervasive network adversary yet.

On the third hand, we certainly have heard examples where the pervasive surveillance people and the law enforcement people *do* collaborate. And then where the law enforcement people lie afterwards about how it happened. :( Is this event one of those cases? Are they rare or commonplace? It sure would be nice to have clearer answers about which laws they're breaking and which social expectation boundaries they're overstepping.

>On the other hand, maybe the NSA and GCHQ don't want to share with other orgs.

Why don't you simply ask the NSA? They pay you $100k+ annually for your job at the Tor project so I assume they'll give you informations as well...

>$100k+ annually for your job at the Tor project

Source for that info?

If true that any of the employees of the Tor Project receive a salary that high, I would like to hear how they justify it.

The Tor Project:
- is a not-for-profit organization
-actively requests donations from the general public
-purports to be dedicated to an altruistic cause

The Tor Project, as any other entity with these characteristics, owes its users, its supporters and the general public an explanation of any expenditures of the like that is alleged here.

IMHO that's a very normal developer salary (which is not even competitive in certain areas of the US, at least not for senior engineers etc.)

Tor's IRS forms are published by Tor Project itself: https://www.torproject.org/about/financials.html.en (e.g. 2013: https://www.torproject.org/about/findoc/2013-TorProject-Form990.pdf) (note that particular salaries there are only listed if they are over $100k.)

> The Tor Project:
> - is a not-for-profit organization
> -actively requests donations from the general public
> -purports to be dedicated to an altruistic cause

FYI, "not-for-profit" means that any profit garnered by a company remains within the company. Again, (IMO) > $100k salaries for developers in the Western world (e.g. the US, Germany) are very common, no matter if you are aligning with altruistic causes or not.

Strong software engineers are not cheap. Tor is not something you hire a low paid programmer for.

For the right person I would be okay with them giving $200,000 if it was somebody skilled enough to protect the network for all of us.

Even good talent who love what they're doing need to be paid well if you expect them to stick with Tor.

I think you theory is very good flooding hidden service with GET request and then unplugging part of the internet briefly one part at time eventually helps to find hidden service.

Then monitoring when hidden service stops responding you can round up where hidden service is by comparing it timetables of unplugged parts of internet.

and you can run freebsd w/ tor without any hdd! or better have windowz installed on disk and press reset button. there will be no evidences.

about convincing - how can you convince that you are not a serial killer or spy? isn't it should work only the other way? they should proof, not you.