Data Security, Threat Management

Honeypots Aren’t the Only Way to Catch Criminals

By Katherine Teitler

 “Honey onions” help researchers find malicious relays in Tor

The Tor network, once known for its ability to provide anonymity and privacy for internet users, is once again losing the confidence of security and privacy advocates. 

Two researchers at Northwestern University published the findings of a 72-day experiment during which they looked to “detect and identify misbehaving and snooping HSDirs,” hidden services directories, nodes within Tor hidden services, a key element of allowing hosts on the network to remain anonymous and protect users’ privacy. The researchers, Amirali Sanatinia and Guevara Noubir, built a framework they termed “honey onions” (HOnions), which were used to scope out when a Tor relay had been modified. Once modified, a relay can expose the actual IP address of a server, essentially exposing it and obfuscating any privacy promises.

Sanatinia and Noubir found “at least” 110 misbehaving and snooping relays throughout the duration of their project.

To develop a reliable test, one that would deliver a significantly high probability of accuracy and completeness of coverage, the pair generated “around” 1,500 honions to scan the nearly 3,000 HSDirs on Tor. HOnions were scheduled for deployment daily, weekly, and monthly so that they could detect “malicious HSDirs who visited the honions shortly (less than 24 hours) after hosting them,” as well as keeping track of the HSDirs that visited more infrequently, theoretically in an effort to avoid detection. Each server request was logged including date and time, helping Noubir and Sanatinia evaluate the snoopers’ behavior and identify them as potentially malicious or misbehaving.


During the experiment, which lasted from February 12, 2016 and April 24, 2016 (only daily honions ran between Feb. 12-21), the researchers detected more than 40,000 visits, which helped them identify the suspicious 110 snooping relays.

The experiment also helped the researchers establish the top countries from which the malicious nodes were originating. They are the U.S., Germany, France, the UK, and the Netherlands.


Furthermore, the paper explains that, “more than 70% of these HSDirs are hosted in cloud services,” making the identification of the faulty and/or harmful service operators even more challenging. Complicating matters still, apparently some cloud providers have started collecting Bitcoins as payment for their services, shrouding the path to identification of what the team calls “misbehaving entities.”

Sanatinia and Noubir first presented their finding in Darmstadt, Germany during at the Privacy Enhancing Technologies Symposium earlier in July, and are scheduled to present in Las Vegas at DEF CON on Friday, August 5, 2016.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.