Deanonymizing Onion Services byIntroducing Packet Delay

Abstract: Background. Onion services facilitate two-way communication over the Tor net-work without letting either party know the other address or location. Many different techniques to break that anonymizing have come forth, but most of them have only been on paper. Some have been tested but then only on a separate network and not on the live Tor network. Objectives. This thesis presents a technique that, with a minimal intrusion to the Tor network and no manipulation of the Introduction relay or the Rendezvous relay,can break the anonymizing of an Onion service. Methods. The technique has been tested on the live Tor network with the approval of an ethics board. The Onion service anonymity was broken by having the Guard relay the Onion service used to connect to the Tor network introducea watermark containing the IP4 address of the Onion service in the TCP packet’s Request-Response Time (RRT). The TCP packets were used to transmit the water-mark where an HTTP echo request was sent from a Tor client where the RRT was captured, and the watermark was decoded. In order to decode the watermark, the normal RRT of packets on the Tor network was needed, so to get the data, HTTP echo requests were also sent without the watermark. Results. The watermark was decoded by the Tor client 88.80% of the time out of 607 tries. Conclusions. While this technique was proven to work, what holds it back is the need for the Onion service to choose the Guard relay that introduces the watermark.The chance of a specific Guard relay is chosen depends on that relays history on the Tor network. However, it’s usually about 0.005%, meaning it would need around,20000 tries to break the anonymity of a random Onion service if only one Guard relay is used.