Deanonymization of Hidden Services by DDoS

TLDR; Basically an attacker owns a bunch of TOR nodes, and then he DDoS' the nodes he doesn't own until the hidden service is forced to utilize the attackers compromised nodes.

I recently posted in the TOR subreddit asking how DDoS could be used to deanonymize hidden services. If anyone is interested in this topic here's the link to my thread there (EDIT: the people who replied there have much more technical knowledge than I do and really explain this stuff well):

https://www.reddit.com/r/TOR/comments/7lt954/ddos_related_deanonymization_techniques/

I fully believe that the DDoS attacks we are seeing on markets and vendor shops are being carried out by certain government agencies in order to deanonymize them.

Here is a link to documentation on how a similar attack to this could be carried out by an attacker with limited resources:

https://www.ohmygodel.com/publications/sniper-ndss14.pdf

In conclusion I believe that this is just one more thing that will push the markets towards the decentralized options. I also believe that established vendors could in the future move away from having a site/shop of any sort at all. Perhaps a better way for them would be to have a "mailing list" in which they email an inventory/pricelist to those who have signed up and then do all DD's through an email service accessed through TOR.


Comments


[5 Points] CocaineNose:

Wasn't there speculation that this method was used for operation onymous?


[6 Points] _barlavon:

How many time this going to be posted? I is getting sick of it. This don't work on dark net markets no more because they should be running own entry guard with an edit in their torrc. Their torrc lists the entry guard to connect to. Even if the entry guard attacked, hs will not connect to entry guard not specified in torrc. for example EntryNode {{name}} EntryNode {{fingerprint}}

hidden service should only use one to avoid correlation. if the attacker uses guard discovery attack with relay nodes the attacker can capture two entry guard and compare list of ip connect. then they capture you!


[2 Points] DOXX_R_US:

of COURSE the attacks are being done by governments lol. Nobody else has the amount of money and resources necessary to launch such a huge DDOS attack for such a length of time.


[1 Points] scoobydrool:

Fed here. can confirm. 5/5 FE early, will update when GG in the catacombs


[1 Points] Joskins:

I fully believe that the DDoS attacks we are seeing on markets and vendor shops are being carried out by certain government agencies in order to deanonymize them.

I believe this is correct. It has the added bonus of messing with the sites also.


[1 Points] Forlls_serious:

What your talking about is illegal.... they would never do that


[1 Points] NK-Hackers:

Correcto-Mondo haha..you like Fonzi? We like Fonzi very much!


[1 Points] Loumier:

Is there any way to make the TOR network stronger against these attacks and ensure that anonymous services can use trustworthy nodes?