Monthly Archives: May 2013

Trawling Tor Hidden Service – Mapping the DHT

Update 2013-08-15: I have been really enthused by reactions I received to this blog post. It has been referenced from Forbes, Gawker and the Daily Mail and a number of people have been in contact about tracking the DHT for themselves. I would recommend the IEEE S&P paper, “Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization” which presents the same issues allowing the DHT to be trawled. They also present some very serious attacks allowing an adversary to locate hidden services with practical resources. It is well worth checking out if you have an interest in Tor.

Tor hidden services have got more media attention lately as a result of some notorious sites like the Silk Road marketplace, an online black market. On a basic level, Tor hidden services allow you to make TCP services available while keeping your server’s physical location hidden via the Tor anonymity network.


  • Tor hidden service directories (HSDir’s) receive a subset of hidden service look-ups from users, allowing them to map relative popularity/usage of hidden service.
  • An adversary with minimal resources can carry out complete DoS attacks of Tor hidden services by running malicious Tor hidden service directories and positioning them in a particular part of the router list.
  • Many look-ups for Tor hidden services go to the incorrect hidden service directories which negatively affects the initial time to access the site.
  • Hidden services such as are popular, sites such as the Silk Road marketplace receive more than 60,000 unique user sessions a day.


For users to access a hidden service they must first retrieve a hidden service descriptor. This is a short signed message created by the hidden service approximately every hour contain a list of introduction nodes and some other identifying data such as the descriptor id (desc id). The desc ID is based on a hash of some hidden service information and it changes every 24 hours. This calculation is outlined later in the post. The hidden service then publishes its updated descriptor to a set of 6 responsible hidden service directories (HSDir’s) every hour. These responsible HSDir’s are regular node on the Tor network which have up-time longer than 24 hours and which have received the HSDir flag from the directory authorities. The set of responsible HSDir’s is based on their position of the current descriptor id in a list of all current HSDir’s ordered by their node fingerprint. This is an implementation of a simple DHT (Distributed Hash Table).

Continue reading

Hello world’ or ‘1’=’1

Welcome to my new website! This is the mandatory, ambitious first post which proceeds the later sporadic activity as the enthusiasm gradually dies away. I don’t have a big picture for this site as of yet.

I registered the domain primarily to host my email as I transition away from using third-party email providers. Hosted email is fine, but if your receiving a “free” service, your the product. Your also vulnerable to the whim’s of a provider who may block your account and lock you out of your online life for the slightest reason. I have decide to get an Icelandic domain as they are implementing strong protections for freedom of speech on the internet thanks to the influence of the IMMI, and they’re also easier to get than .ie domains!

Predominantly this blog will just be a place for me to publish projects I’m working on at the moment. Until now I have limited myself to 140 characters and haven’t been able to get idea’s across as I’d like. I also have various half-finished projects left lying around. I’m hoping that actually having a place to publish and get some feedback on my projects will give me the motivation I need complete them. I should have my first proper post up in a day or two outlining some work I have done analyzing the Tor hidden service DHT. Stay tuned!