12_tribes - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How more than 100 malicious Tor nodes were identified

Researchers identified 110 malicious Tor HSDirs that were found snooping information. Expert Kevin Beaver discusses the takeaways from this research for enterprises.

Early in 2016, researchers at Northeastern University published a paper detailing their research findings related to bad relays in the Tor environment. As defined by the Tor project, "a bad relay is one that either doesn't work properly or tampers with our users' connections. This can be either through maliciousness or misconfiguration." In the Tor research paper, titled "HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs", Amirali Sanatinia and Guevara Noubir documented their findings related to a series of seemingly malicious Tor nodes that were probing the project's hidden services to, perhaps, deanonymize users by targeting the Tor hidden services directories.

Tor already has its own system for discovering bad relays but these bad relays went undetected until now. Deploying 1,500 honey onions (honions), the researchers logged requests that were made by the HSDirs including the visited hidden service, the time of visit and honion address information. Their algorithm allowed for the estimation and identification of potentially malicious Tor nodes with hidden services directories. Over a period of 72 days, a total of 110 malicious Tor nodes were found to be snooping information about the hidden services they hosted. More than half of these bad relays were hosted in the cloud which can, obviously, make identification a bit more difficult. Through timing delays in visiting honions, it was noted that the behaviors of Tor nodes varied as well.

The anomalous hidden services directories uncovered were presumably put in place to discover specific honion addresses rather than actual IP addresses of visitors/hosts. Perhaps this is not a huge deal, but what does it mean for the future of the Tor Project? It seems that nothing really changes. Many of the bad relays that this research uncovered have already been removed. Furthermore, when a bad relay is found in the Tor network, it is tossed per specific procedures. If anything, Tor is only going to be more resilient thanks to these types of research findings. What this does show is that the Tor ecosystem is highly complex with potentially malicious actors that are lurking and monitoring what's going on. It's something that cannot be taken lightly, especially at an enterprise level.

It's rare to come across an organization that explicitly permits or denies Tor usage. That said, the reality is that Tor is being used at an enterprise level -- some for good and, perhaps, some for bad. Based on the network complexity and lack of insight and information, the majority of organizations are likely unaware of any such usage. In the interest of minimizing business risks, it would behoove enterprise IT and information security managers to take the appropriate steps for monitoring and controlling Tor usage. This has to be handled through policies, processes and technologies. For existing Tor users, they've undoubtedly performed risk/reward analysis. However, it's still good to see this kind of research emerging as it can help users make more informed decisions.

Next Steps

Listen in as SearchSecurity editors discuss the discovery of the malicious Tor nodes

Find out if using Tor is a security risk for enterprises

Learn why your employees shouldn't be using Tor at work

This was last published in October 2016

Dig Deeper on Web browser security