The scientists from Northwestern University have carried out the experiment in the network Tor. It has been held from 12th February till 24th April 2016. The researches set going approximately 1500 trap-servers HOnions that managed to find out 110 dangerous HSDirs (Hidden Services Directories).
HSDirs implied Tor servers which stored information and directed the users to ".onion" addresses. However, HOnions were in operation like normal hidden services, but actually it was used for tracking the traffic.
As the researchers have stated Tor anonymity and security are based on the hypothesis that the most services are honest and operate in the right way. In fact the privacy of hidden services depends on operator’s honesty of hidden services directories (HSDirs).
The experiment has been held for 72 days. At least 110 malicious HSDirs were found out, most of which were located in the US, France, Great Britain and the Netherlands. The scientists state that 70% HSDirs operate based on professional cloud infrastructure. In addition it complicates its analysis. 25% are HSDirs and exit nodes simultaneously allowing their operators to track all the unencrypted traffic and perform man-in-the-middle attacks.
According to the report which has been presented on the symposium Privacy Enhancing Technologies the various behaviors of HSDirs has been disclosed. While some required description.json files and took interest in upgrade state on Apache, the other tried to attack through SQL Injection, Cross-Site Scripting (XSS).
The developers of the project Tor did not leave it unattended and poste the message on the official blog. Tor has internal identification system. If such a relay is found out, it is ruled out from the network. Unfortunately, the intrusion-detection technology is non-perfect. Working independently should lead to the shared objective.