Onion Services Research Articles

Onion Services in the Wild: A Study of Deanonymization Attacks

Tor, the leading anonymization network, routes traffic over multiple relays to ensure client anonymity. Its Onion Services allow users to host services within the Tor network without revealing their location. While these techniques are crucial for users in authoritarian regimes and whistleblowers, they are also exploited by criminals. This paper diverges from the common focus on the technical vulnerabilities of the Tor protocol and instead explores the practical aspects of deanonymizing Onion Service users and operators. Despite Tor's robust security mechanisms, human errors in its usage and operation frequently lead to deanonymization. This study models law enforcement agencies as powerful attackers and evaluates documents from 136 court cases to determine investigative methods. We find that investigators employ different methods depending on the offense, with user mistakes being the dominant angle. Technical attacks, though comparatively rare, are highly effective and can potentially impact a large number of users simultaneously. Attacks on the well-researched Tor protocol are exceptionally rare, but their impact is even more significant. We argue that the human aspect of using Tor is the most critical deanonymization angle and that tailored guidelines for ethical users can help protect them from oppressive retaliation while still enabling the prosecution of criminal activity.

Analyzing Darknet Traffic: Examining how Tor Modifications Affect Onion Service Traffic Classification

The important work of classifying network traffic for control and monitoring is examined in this study. Data protection has taken centre stage as privacy concerns have grown over the last two decades. Online privacy is possible through the Tor network, which is well-known for enabling Onion Services and offering user anonymity. But the abuse of this anonymity—especially with Onion Services—has prompted the government to work on de-anonymizing users. In this work, we address three main goals: first, we achieve over 99% accuracy in distinguishing Onion Service traffic from other Tor traf- fic; second, we assess how well our methods perform in the event that Tor traffic is modified to hide information leaks; and third, we detect the utmost significant article integrations for our classification task. This study tackles issues related to privacy challenges and misuse concerns in network traffic analysis.

Darknet Traffic Analysis: Examining How the ADABOOST Algorithm Affects the Classification of Onion Service Traffic Given Modified Tor Traffic

Darknet Traffic Analysis: Examining How the ADABOOST Algorithm Affects the Classification of Onion Service Traffic Given Modified Tor Traffic

Darknet Traffic Analysis Investigating the Impact of Modified Tor Traffic on Onion Service Traffic Classification

Darknet Traffic Analysis Investigating the Impact of Modified Tor Traffic on Onion Service Traffic Classification

Multidimensional Forensic Investigation of Onion Sites Based on Fuzzy Encoded LSTM

The only way to access onion services is via the TOR browser providing anonymity and privacy to the client as well as the server. Information about these hidden services and the contents available on them cannot be gathered like websites on the surface web. So, they become a fertile ground for illegal content dissemination and hosting for cybercriminals. There is a persistent need to classify and block such content from onion sites. In this paper, we investigate data requested from onion services to help law enforcement agencies collect traces of cybercrime on these hidden services. We propose a system using fuzzy encoded LSTM to analyze contents retrieved from these sites and raise alerts if found illegal. The accuracy of fuzzy-encoded LSTM is found to be 81.04 % and it outperforms other classifiers.

A Big Data architecture for early identification and categorization of dark web sites

The dark web has become notorious for its association with illicit activities and there is a growing need for systems to automate the monitoring of this space. This paper proposes an end-to-end scalable architecture for the continuous early identification of new Tor sites and the daily analysis of their content. The solution is built using an Open Source Big Data stack for data serving with Kubernetes, Kafka, Kubeflow, and MinIO, continuously discovering onion addresses in different sources (threat intelligence, code repositories, web-Tor gateways, and Tor repositories), downloading the HTML from Tor and deduplicating the content using MinHash LSH, and categorizing with the BERTopic modeling (SBERT embedding, UMAP dimensionality reduction, HDBSCAN document clustering and c-TF-IDF topic keywords). In 93 days, the system identified 80,049 onion services and characterized 90% of them, addressing the challenge of Tor volatility. A disproportionate amount of repeated content is found, with only 6.1% unique sites. From the HTML files of the dark sites, 31 different low-topics are extracted, manually labeled, and grouped into 11 high-level topics. The five most popular included sexual and violent content, repositories and search engines, carding, cryptocurrencies, and marketplaces. During the experiments, we identified 14 sites with 13,946 clones that shared a suspiciously similar mirroring rate per day, suggesting an extensive common phishing network. Among the related works, this study is the most representative characterization of onion services based on topics to date.

Updated exploration of the Tor network: advertising, availability and protocols of onion services

AbstractThe Tor network is known for its opaque characteristics and involvement in illicit activities, motivating to shed light on the exposure, lifetime, and functionalities of onion services. This study focuses on the appearance of Tor links in online advertising and monitors the connectivity status and protocols of the collected onion domains through the Tor network over 105 days. Out of 54,602 onion addresses gathered, it was found that 38% of Tor links were advertised only once, 43% between two and five times, and 19% more than five times. Furthermore, 50% of the addresses were exclusively advertised on the surface web, 6% on the dark web, and 44% on both portions. The temporal analysis revealed that 67% of the addresses were predominantly active, 7% were intermittent, and 26% were mostly inactive. The study examined fifteen protocols used by onion services, concluding that 94% employed a single protocol, while 6% utilized between two and eight protocols. Among active sites, HTTP was present in 99.75% of cases, followed by SSH (4.95%) and HTTPS (0.64%). Additionally, onion services without web services often deploy cryptocurrency or instant messaging servers. This study offers a comprehensive and current understanding of the dark web, surpassing previous research in its scope.

A general and modular framework for dark web analysis

The dark web, often linked with illegal activities, can be monitored with different solutions. However, these tools are typically purpose-specific and designed for unique use cases. In this study, we propose a flexible and scalable framework that facilitates the easy integration of new workflows for dark web analysis. The design is based on the control, logic and operations layers, supplemented by a tools module, logs management, asynchronous message-based communication and a database. The implementation maps the features into a microservice approach, utilizing the open-source technologies Docker Swarm, Kafka, ELK Stack (Elastic Search, Logstash and Kibana), and PostgreSQL. A workflow to scrape web elements of Tor onion services is deployed and validated, demonstrating considerable framework performance despite the time-consuming task of navigating the dark web. Over 16 h, the framework collected over half million onion domains (84,371 unique ones) and made 78,555 accesses to them.

Recognition of tor malware and onion services

The transformation of the contemporary societies through digital technologies has had a profound effect on all human activities including those that are in the realm of illegal, unlawful, and criminal deeds. Moreover, the affordances provided by the anonymity creating techniques such as the Tor protocol which are beneficial for preserving civil liberties, appear to be highly profitable for various types of miscreants whose crimes range from human trafficking, arms trading, and child pornography to selling controlled substances and racketeering. The Tor similar technologies are the foundation of a vast, often mysterious, sometimes anecdotal, and occasionally dangerous space termed as the Dark Web. Using the features that make the Internet a uniquely generative knowledge agglomeration, with no borders, and permeating different jurisdictions, the Dark Web is a source of perpetual challenges for both national and international law enforcement agencies. The anonymity granted to the wrong people increases the complexity and the cost of identifying both the crimes and the criminals, which is often exacerbated with lack of proper human resources. Technologies such as machine learning and artificial intelligence come to the rescue through automation, intensive data harvesting, and analysis built into various types of web crawlers to explore and identify dark markets and the people behind them. It is essential for an effective and efficient crawling to have a pool of dark sites or onion URLs. The research study presents a way to build a crawling mechanism by extracting onion URLs from malicious executables by running them in a sandbox environment and then analysing the log file using machine learning algorithms. By discerning between the malware that uses the Tor network and the one that does not, we were able to classify the Tor using malware with an accuracy rate of 91% with a logistic regression algorithm. The initial results suggest that it is possible to use this machine learning approach to diagnose new malicious servers on the Tor network. Embedding this kind of mechanism into the crawler may also induce predictability, and thus efficiency in recognising dark market activities, and consequently, their closure.

On the gathering of Tor onion addresses

Exploring the Tor network requires acquiring onion addresses, which are crucial for accessing anonymous websites. However, the Tor protocol presents a challenge, as it lacks a standard method for finding these complex links composed of either 16 or 56 base32-coded characters and featuring the unique “.onion” top-level domain. This study delves into the existing literature analyzing onion services and categorizes the various strategies employed to gather their addresses. The success of each approach is measured by the number of addresses obtained, while the relevancy of the work is evaluated by comparing the number of services uncovered to Tor’s official count. The results indicate that the most used techniques are Tor crawling and repositories, whereas the most effective methods are relay injection, repositories, and Tor crawling. This paper also estimates the representativeness of literature collections, revealing that most past works explored a small portion of the Tor network. The study also uncovers the limitations of onion gathering and sheds light on the challenges for future research to provide more representative datasets for dark web exploration.

Discovering onion services through circuit fingerprinting attacks

Tor onion services provide anonymous service to clients using the Tor browser without disclosing the real address of the server. But an adversary could use a circuit fingerprinting attack to classify circuit types and discovers the network address of the onion service. Recently, Tor has used padding defenses to inject dummy cells to protect against circuit fingerprinting attacks. But we found that circuits still expose much information to the adversary. In this paper, we present a novel circuit fingerprinting attack, which divides the circuit into the circuit generated by the client and the circuit generated by the onion service. To get a more effective attack, we tried three state-of-the-art classification models called SVM, Random Forest and XGBoost, respectively. As the best performance, we attain 99.99% precision and 99.99% recall when using Random Forest and XGBoost classification models, respectively. And we also tried to classify circuit types using our features and the classification model mentioned above, which was first proposed by Kwon. The best performance was achieved with 99.99% precision and 99.99% recall when using the random forest classifier in circuit type classification. The experimental results show that we achieved highly accurate circuit fingerprinting attacks even when application-layer traffic is identical and some type of circuits using the defenses provided by Tor.

Darknet Traffic Analysis: Investigating the Impact of Modified Tor Traffic on Onion Service Traffic Classification

Darknet Traffic Analysis: Investigating the Impact of Modified Tor Traffic on Onion Service Traffic Classification

Evaluating Dynamic Tor Onion Services for Privacy Preserving Distributed Digital Identity Systems

Digital identity documents provide several key benefits over physical ones. They can be created more easily, incur less costs, improve usability and can be updated if necessary. However, the deployment of digital identity systems does come with several challenges regarding both security and privacy of personal information. In this paper, we highlight one challenge that digital identity systems face if they are set up in a distributed fashion: Network Unlinkability. We discuss why network unlinkability is so critical for a distributed digital identity system that wants to protect the privacy of its users and present a specific definition of unlinkability for our use-case. Based on this definition, we propose a scheme that utilizes the Tor network to achieve the required level of unlinkability by dynamically creating onion services and evaluate the feasibility of our approach by measuring the deployment times of onion services.

A Method for Identifying Tor Users Visiting Websites Based on Frequency Domain Fingerprinting of Network Traffic

Although the anonymous communication network Tor can protect the security of users’ data and privacy during their visits to the Internet, it also facilitates illegal users to access illegal websites. Website fingerprinting attacks can identify the websites that users are visiting to discern whether they are performing illegal operations. Existing methods tend to manually extract the traffic features of users visiting websites and construct machine learning or deep learning models to classify the features. While these methods can be effective in classifying unknown website traffic, the effect of classification in the use of defensive measures or onion service scenarios is not yet ideal. This paper proposes a method to identify Tor users visiting websites based on frequency domain fingerprinting of network traffic (FDF). We extract the direction and length features of circuit sequences in access traffic and combine and transform them into the frequency domain. The classification of access traffic is accomplished by using a deep learning classification model combining CNN, FC, and Self-Attention. In this paper, the proposed FDF method is experimentally validated in common scenarios of Tor networks. The results show that FDF outperforms the existing methods for classification in different Tor scenarios. It can achieve 98.8% and 94.3% classification accuracy in undefended and WTF-PAD defense scenarios, respectively. In the onion service scenario, the accuracy is improved by 4.7% over the current state-of-the-art Tik-Tok method.

Multimodal Classification of Onion Services for Proactive Cyber Threat Intelligence Using Explainable Deep Learning

The dark web has been confronted with a significant increase in the number and variety of onion services of illegitimate and criminal intent. Anonymity, encryption, and the technical complexity of the Tor network are key challenges in detecting, disabling, and regulating such services. Instead of tracking an operational location, cyber threat intelligence can become more proactive by utilizing recent advances in Artificial Intelligence (AI) to detect and classify onion services based on the content, as well as provide an interpretation of the classification outcome. In this paper, we propose a novel multimodal classification approach based on explainable deep learning that classifies onion services based on the image and text content of each site. A Convolutional Neural Network with Gradient-weighted Class Activation Mapping (Grad-CAM) and a pre-trained word embedding with Bahdanau additive attention are the core capabilities of this approach that classify and contextualize the representative features of an onion service. We demonstrate the superior classification accuracy of this approach as well as the role of explainability in decision-making that collectively enables proactive cyber threat intelligence in the dark web.

From “Onion Not Found” to Guard Discovery

Abstract We present a novel web-based attack that identifies a Tor user’s guard in a matter of seconds. Our attack is low-cost, fast, and stealthy. It requires only a moderate amount of resources and can be deployed by website owners, third-party script providers, and malicious exits—if the website traffic is unencrypted. The attack works by injecting resources from non-existing onion service addresses into a webpage. Upon visiting the attack webpage with Tor Browser, the victim’s Tor client creates many circuits to look up the non-existing addresses. This allows middle relays controlled by the adversary to detect the distinctive traffic pattern of the “404 Not Found” lookups and identify the victim’s guard. We evaluate our attack with extensive simulations and live Tor network measurements, taking a range of victim machine, network, and geolocation configurations into account. We find that an adversary running a small number of HSDirs and providing 5 % of Tor’s relay bandwidth needs 12.06 seconds to identify the guards of 50 % of the victims, while it takes 22.01 seconds to discover 90 % of the victims’ guards. Finally, we evaluate a set of countermeasures against our attack including a defense that we develop based on a token bucket and the recently proposed Vanguards-lite defense in Tor.

Tor Hidden Services: A Systematic Literature Review

Anonymous communications networks were created to protect the privacy of communications, preventing censorship and traffic analysis. The most famous anonymous communication network is Tor. This anonymous communication network provides some interesting features. Among them, we can mention that Tor can hide a user’s IP address when accessing to a service such as the Web, and it also supports Tor hidden services (THS) (now named onion services) as a mechanism to conceal the server’s IP address, used mainly to provide anonymity to websites. THS is an important research field in Tor. However, there is a lack of reviews that sum up the main findings and research challenges. In this article, we present a systematic literature review that aims to offer a comprehensive overview of the research made on THS by presenting the state-of-the-art and the different research challenges to be addressed. This review has been developed from a selection of 57 articles and presents main findings and advances regarding Tor hidden services, limitations found, and future issues to be investigated.

Dark web advertising: the dark magic system on Tor hidden service search engines

ABSTRACT Drawing on Raymond William’s concept of the ‘magic system,’ this article argues that advertising on the Dark Web is a ‘dark magic system’. The article first defines ‘Dark Web’ and then analyzes over 300 banner advertisements appearing on Tor onion service search engines. The advertisements are categorized into navigation, individual vendors, services, and markets. Next, the article traces the associations the advertisements make between advertised objects and values. The predominant values the advertisements invoke include navigation, OPSEC politics, and a justification to exploit the openness of others. The article then traces the limits of the dark magic system, including the system’s inability to offer metrics, the problems of ‘onion cloners,’ and the constant threat of scams. The article concludes with an argument that the dark magic system is incapable of addressing the sort of anonymized political communication the Dark Web might afford.

Tor’s underworld, ‘onion services’ and child sex abuse material: Submission to the Australian Parliamentary Joint Committee on Law Enforcement inquiry into ‘Law enforcement capabilities in relation to child exploitation’

The Australian Commonwealth Surveillance Legislation Amendment (Identify and Disrupt) Bill 20202, which passed both houses of parliament on August 25, 2021, will assist law enforcement agencies (LEAs) in investigating serious crime including online child sex abuse materials (CSAM). Despite relevant tools such as data disruption, network activity and account takeover warrants, LEAs will nevertheless encounter challenges in the darkweb – notably Tor (formerly known as The Onion Router), the largest of the anonymous platforms. Anonymous Internet services, such as Tor, are designed to evade surveillance and its highly decentralised structure is resilient despite the periodic success of cross-jurisdictional policing operations in disrupting, arresting, and closing both illicit contraband markets and CSAM sites on Tor (Broadhurst, et al., 2021). The deterrent effect of LEA operations tends to be short lived, but can influence the perceptions of risk and deter potential offenders. LEA operations also can stimulate self-regulation (e.g., banning and/or censoring particular products or interests) among some relevant Tor hidden or ‘onion’ service providers. Anonymity also provides opportunities to reach out to existing support ‘communities’ among these online secretive sub-cultures and seek support in crafting relevant online health, education and treatment referral services.This submission considers the capability of Australia’s law enforcement agencies to tackle the growing scourge of child exploitation. In particular, concern about the existence of dedicated CSAM onion services hosted on the Tor network were raised (Terms of Reference [a]). This also required an understanding of the tools used by offenders to access CSAM and the ability of law enforcement to detect CSAM and identify offenders (Terms of Reference [d]). We suggest specific support be provided to develop and evaluate online treatment programs for CSAM offenders using the anonymous format provided by Tor . Finally, we propose a study examining the links between offline and online/contact and non-contact offenders in the context of anonymity (Terms of Reference [f]).

Detection and Analysis of Tor Onion Services

Tor onion services can be accessed and hosted anonymously on the Tor network.We analyze the protocols, software types, popularity and uptime ofthese services by collecting a large amount of .onion addresses. Websites arecrawled and clustered based on their respective language. In order to alsodetermine the amount of unique websites a de-duplication approach is implemented.To achieve this, we introduce a modular system for the real-timedetection and analysis of onion services. The overall data revealsthat a large amount of permanent services provide no actual content for Torusers. A significant part consists instead of bots, services offered via multipledomains, or duplicated websites for phishing attacks. The total amount ofonion services is thus significantly smaller than current statistics suggest