A Method of Disclosing .Onions

2018-12-03T03:47:55+00:00December 3 2018|

Browsing via Tor is still fine, Hosting onions … (possibly) less fine.

This post is in theory, sound, however executing it would take real collaboration that probably doesn’t exist and  due to the benefits of tor to certain operations is going to be counterproductive, but, something to think about all the same, we will cover three methods of asking the same question, the question is two fold to get one answer

Question 1: Is the IP address up

Question 2: Is the .onion up

If the answer to questions 1 and 2 are No, then there is potential correlation of state identification, what does that mean? well, if the IP address is up, and the .onion is online, and the IP address is down and the onion is down, then perhaps the .onion is hosted on that IP.

Now the hard part, Execution

The Slowest most viable way to do this (as far as I can tell) is to monitor ISP outages at scale (I’d love to hear how this might be possible in a meaningful way) when an ISP goes down, attempt to resolve your target .onions and cross reference the state (up/down) to see if the IP and .onion are down, IP down .onion up. you’re dependent on ISP’s outages or large-scale network flaws (BGP Hijacks perhaps) and you have no control over when this happens, just having a system in place to react to when it does.


The quickest least viable way to do this would need collaboration from core networks and the governments and operators to allow for controlled outages (milliseconds of outage would be the most desirable) to create enough time to query the IP address being down and the onion being down, or up and move to the next one, perhaps ASN’s at a time as a quick way to home-in, this would be a nightmare for financial networks where outages are simply not allowed, the financial overhead of failed connections would have to be either considered and accountable or deny everything !  – or instead of null routing the IP addresses you could slow them down, but this would need performance tuning, and maybe have to inject a bunch of tor nodes into the network to speed it up.


Where it won’t work

Load-balancing your .onion (such as here) essentially one IP goes down, the site stays up even if that one IP is associated, however, depending on tuning you might notice a timing difference that would be useful intel.

This method is only for known .onion addresses


Any extra thoughts or considerations I’d love to hear more, and update the article + credit