Is “KAX17” performing de-anonymization Attacks against Tor Users?

Major Tor Network Threat Actors

Actor “BTCMITM20” Profile

  • active since at least 2020
  • sophistication: amateur level but persistent and large scale
  • operated relay types: exit relays
  • (known) concurrently running relays peak: >350 relays
  • (known) advertised bandwidth capacity peak: 40 Gbit/s
  • (known) exit probability peak: 27%
  • primary motivation: financial profit (by replacing bitcoin addresses in tor exit traffic)
  • defenses: easy; HSTS preloading for website operators; on tor clients: ensure HTTPS is used properly.

Actor “KAX17” Profile

  • active since at least 2017
  • sophistication: non-amateur level and persistent
  • uses large amounts of servers across many (>50) autonomous systems (including non-cheap cloud hosters like Microsoft)
  • operated relay types: mainly non-exits relays (entry guards and middle relays) and to a lesser extend tor exit relays
  • (known) concurrently running relays peak: >900 relays
  • (known) advertised bandwidth capacity peak: 155 Gbit/s
  • (known) probability to use KAX17 as first hop (guard) peak: 16%
  • (known) probability to use KAX17 as second hop (middle) peak: 35%
  • motivation: unknown; plausible: Sybil attack; collection of tor client and/or onion service IP addresses; deanonymization of tor users and/or onion services

What visibility into the tor network did KAX17 have during the past 3 years?

Figure 1: Guard, middle and exit probability by KAX17's relays between 2019–01–01 and the removal event on 2021–11–08. Graph by nusenu (raw data source: Tor Project/onionoo)
  • first hop probability (guard) : 10.34%
  • second hop probability (middle): 24.33%
  • last hop probability (exit): 4.6%

The unexpected hint towards a better understanding of the mystery

  • are in fact operated by a single entity and
  • all of them are actually part of KAX17.

What is special about KAX17?

KAX17's involvement in tor-relays policy discussions

Self-defense: Helping tor users help themselves

Non-spoofable operator identifiers

  1. add
    url:example.com proof:uri-rsa ciissversion:2
    to her relay’s ContactInfo
  2. publish the relay’s fingerprint at the IANA registered well-known URI:
    https://example.com/.well-known/tor-relay/rsa-fingerprint.txt
    (or create a DNS TXT record).
Figure 2: >50% of the tor network’s exit capacity has proven their domain according to the CIISS specification. Source: nusenu (an interactive version of the graph can be found at OrNetStats)

Trusting operator domains

Proof of concept implementation

Summary

  • A mysterious actor which we gave the code-name KAX17 has been running large fractions of the tor network since 2017, despite multiple attempts to remove them from the network during the past years.
  • KAX17 has been running relays in all positions of a tor circuit (guard, middle and exit) across many autonomous systems putting them in a position to de-anonymize some tor users.
  • Their actions and motives are not well understood.
  • We found strong indicators that a KAX17 linked email address got involved in tor-relays mailing list discussions related to fighting malicious relays.
  • Detecting and removing malicious tor relays from the network has become an impractical problem to solve.
  • We presented a design and proof of concept implementation towards better self-defense options for tor clients to reduce their risk from malicious relays without requiring their detection.
  • Most of the tor network’s exit capacity (>50%) supports that design already. More guard relays adopting the proven domain are needed (currently at around 10%).

Acknowledgements

Appendix

Figure 3: Running KAX17 relays and their advertised bandwidth since 2019–01–01. Graph by nusenu
Figure 4: Running KAX17 middle-only relays show a monthly pattern. Starting on the first day of each month. Graph by nusenu
Figure 5: Running KAX17 guard relays do not show the same monthly pattern (also because the guard flag has some requirements that relays regularly disappearing do not meet). Graph by nusenu

--

--

--

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Baby Hazel Goes Sick Hack Free Resources Generator

Cryptography + Malware = Ransomware

The Dangers of the Internet

Audit Progress Update

All you need to know about ThePirateBay Torrent Site

Start learn pentesting/hacking. The Red Team

Nessus Basics Tutorial: Vulnerability Management

DYP Leverages KyberDMM to Boost Its Token Liquidity on Avalanche

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
nusenu

nusenu

Tor, Routing Security and DNS Privacy related Topics. https://nusenu.github.io

More from Medium

MF DOOM, Delivery Apps, and The Split

InstaLiq DAO is Introducing the World’s First Initial Liquidity Swap

King Speed announces our launchpad — Krystal Go, Oxbull, and Game Station

Host Blazor on ECS Part 2 —Configure Load Balancer with SSL

ACM — request certificate