https://www.theguardian.

com/world/interactive/2013/oct/04/tor-high-secure-
internet-anonymity
https://en.wikipedia.org/wiki/Tor_(anonymity_network)#:~:text=Tor%20is
%20free%20and%20open,network%20surveillance%20or%20traffic
%20analysis.
https://www.incibe-cert.es/en/blog/tor-hs-deanonymization
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

De-Anonymization in Tor Network

Introduction

What is Tor Network?

Tor is free and open-source software for enabling anonymous communication by directing
Internet traffic through a free, worldwide, volunteer overlay network consisting of more than
seven thousand relays[5] in order to conceal a user's location and usage from anyone
conducting network surveillance or traffic analysis. Onion routing is implemented by encryption in
the application layer of a communication protocol stack, nested like the layers of an onion. Tor
encrypts the data, including the next node destination IP address, multiple times and sends it
through a virtual circuit comprising successive, random-selection Tor relays. Each relay decrypts
a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data
on to it. The final relay decrypts the innermost layer of encryption and sends the original data to
its destination without revealing or knowing the source IP address. An onion is a data structure
that is treated as the destination address by onion routers; thus, it is used to establish an
anonymous connection. Because the routing of the communication was partly concealed at every
hop in the Tor circuit, this method eliminates any single point at which the communicating peers
can be determined through network surveillance that relies upon knowing its source and
destination. Tor is also known as the King of high secure, low latency internet anonymity.

What is De-Anonymization in Tor Network?

De-anonymization is a technique used in data mining that attempts to re-identify encrypted

or obscured information. De-anonymization, also referred to as data re-identification, cross-
references anonymized information with other available data in order to identify a person,
group, or transaction.
Need for De-Anonymization
Although Tor was created to improve the privacy of Internet users and avoid censorship, it may
also be employed for other purposes [ES]. A recent example that shows the illegitimate trend of
the actions carried out through Tor is described in the FinCEN (Financial Crimes Enforcement
Network) report from the U.S. Department of State. This report states that out of a total of 6048
suspicious activities reported by banks between 2001 and 2014, at least 975 involved Tor nodes
(however, we must recall that the initial release of Tor dates back to 2002). Equally, Operation
Onymous has been very representative, being executed by various international security
organizations (Europol and FBI amongst others). Through this operation, 17 people who were
responsible for 400 .onion addresses associated to a total of 27 websites (hidden services) were
arrested.

A hidden service (HS from now on) publishes "contact information" (information known as hidden
service descriptor) on a database distributed on the Tor network. Subsequently, any client that
wants to use the service, gains access to the database and uses that information to contact with
the HS through a meeting points (rendezvous) where both of them (client and HS) establish a
Tor circuit, to avoid being traced. The final result is a connection as shown in the following
graphic:

- Connection between a Tor client and a hidden service -

Notwithstanding, it is important to note that this way of functioning is more delicate in terms of the
anonymity guarantees offered to the hidden service. In this case, when evaluating its security, it
is necessary to assume the other extreme of the communication (the client) is under the control
of an attacker of the system. In other words, to infringe the anonymity of a Tor client, it’s
necessary to compromise both the network’s inward node and exit node. On the other hand, to
infringe the anonymity of a hidden service, just the exit node needs to be compromised (given
that the entry node could directly be the attacker).
Methods of De-Anonymization

An important Tor network concept in these attacks is that of nodes known as entry guards. These
are special nodes, that the clients and hidden services choose (and rotate periodically) to access
the Tor network. Therefore the entry guards are the only nodes that have access to real IPs of
those accessing Tor. Coming up, assume that an attacker wants to obtain the real IP address
(123.124.125.126) from a hidden service with an xyz.onion address. One of the attacks exposed
in the mentioned article is as follows:

1. A node controlled by the attacker is selected as an entry guard on behalf of the xyz.onion
hidden service.
2. The client (attacker) establishes a connection with xyz.onion.
o As the attacker is who establishes the connection, he can decide a rendezvous
node that he controls.
o This connection is associated to a cookie created by the client (attacker) and is
also transmitted to the hidden service, which uses the rendezvous node to
distinguish between connections.
3. When the service in xyz.onion connects with the malicious rendezvous point:
o The rendezvous node can associate this connection initiated by xyz.onion with
the connection started by itself, as it contains the same cookie.
o The rendezvous node sends anomalous traffic (researchers suggest sending 50
packages of a specific type) towards xyz.onion, followed by a petition to close the
connection.
4. Finally, the entry guard controlled by the attacker associates the received connection
from 123.124.125.126 with the rendezvous node connection with the xyz.onion service,
if:
o The entry guard receives a petition to shut down the connection after the
rendezvous node receives the xyz.onion connection with the cookie created by
the attacker.
o The number of packages received by the entry guard corresponds with the
pattern of 50 packages sent by the rendezvous.

In other words, following this process, the attacker can associate the 123.124.125.126 IP
address with the xyz.onion hidden service.
The following scheme graphically represents the attack.

- Scheme of an attack to a hidden service -

One important aspect remains, and it’s that the attack depends on the hidden service choosing a
node controlled by the attacker as an entry guard. However, given the selection policy of these
nodes when investigating, the authors estimated that, with a cost of 8280€, in an interval of 8
months, there will be a 90% chance that one of its servers (they displayed 23 in their
experiments) will be selected as an entry guard by any hidden service (of long duration). This
time and cost isn’t by any means far from the reach of big organizations.

Minimizing the success probability of the attack

As proven, entry guards and their selection policies play a very important role in Tor. This policy
is based on choosing three entry guards, which rotate between 30 and 60 days. However, to
increase the difficulty of these types of attacks, minimizing the probability of choosing an entry
guard controlled by an attacker, Tor developers have changed this policy so that now each Tor
user (including hidden services) choose only one entry guard. Recently, they’ve also suggested
increasing the rotation period of the entry guard to 9 months.