Researchers Identify 110 Active Tracking Nodes in Tor

Cybersecurity researchers from Northeastern University in Boston, Massachusetts, USA, have discovered 110 potentially dangerous Hidden Services Directories (HSDir) in the Tor network. The experts developed HOnions, special unsecured networks designed to identify improperly functioning active nodes in the network marked with the HSDir flag.

Study Details and Findings

During a study conducted from February 21 to April 24, 2016, using 1,500 HOnions, the researchers found at least 110 active tracking nodes. Most of these nodes were located in the United States, Germany, the United Kingdom, France, and the Netherlands. According to the experts, potentially dangerous hidden service directories can be used by any researcher studying the “Dark Web,” as well as by government agencies or law enforcement seeking to block access to certain resources.

Cloud Hosting and Attack Methods

The researchers noted that over 70% of the HSDir nodes were hosted on cloud services, making it nearly impossible to identify their operators. In most cases, the malicious nodes automatically contacted the visited server, although the “honeypots” also detected some human involvement. The malicious nodes attempted to check Apache update status, exploit SQL injection vulnerabilities, cross-site scripting, vulnerabilities in Ruby on Rails and PHP, and perform directory traversal attacks.

Impact on Trust in Tor

According to the experts, such findings undermine trust in the anonymity of the Tor network. It is worth noting that specialists from the Massachusetts Institute of Technology (MIT) in the USA and the École Polytechnique Fédérale de Lausanne (EPFL) in Switzerland are currently working on developing a new anonymous network, which they claim will be more secure than Tor.