Tuesday, 15 March 2016

Who Is Spinning This Hidden Web?

For anyone who has been following the story of Tor hidden services, which began in February as we all noticed a sudden increase in the number of unique .onion addresses, it appears that it might be finding a new equilibrium.  Having said that, the last time I thought this it leapt up even higher than the original increase which caught our attention.

As of this morning the number of unique .onion addresses appears to be levelling out.  It looks considerably lower than the peak that was reached but it is still at or higher than the level which woke us up a few weeks ago.

What no one (that I know of) has yet determined is what has been causing these changes.  I wonder previously if it was as a result of the malware Locky.  However, as the number of unique addresses reported each day has fallen, we have seen Locky continue unabated: if anything it has become more widespread.  That would seem to rule out Locky as the culprit.

All of which leaves people like me scratching our heads.

One possibility was that someone was generating a hoard of vanity addresses to sell them on at a later date.  Using various software tools it is relatively easy to create vanity .onion addresses.  And, we have seen "onion farming" in the past, but on a much smaller scale.

One rather dark thought I had, particularly when I saw the rate of increase after 20th February was that maybe someone was trying to smash the "dark web". It wouldn't be possible to use up all of the .onion addresses as the possible number is enormous, but what if someone were trying to overwhelm the Hidden Service Directory Servers (HSDirs).  There are only approximately 3000 HSDirs, and each is likely to be doing something other than just being a directory server for Tor.

It is possible to do the sums by looking at the specification for the "descriptors" that the directory servers manage. When you work it through it doesn't look like it should be a problem: a matter of a few hundred megabytes of memory per server.  However, some of those operating these servers have reported their systems crashing - it's not clear why. 

Clearly if someone was attempting to take down the HSDirs to effectively stop the hidden services operating then they stopped short.  Conspiracy theorists might think it was because they were spotted.  However, it might be that what we have seen was just a test, but even that doesn't explain why the number of addresses hasn't returned to a level seen prior to mid February.

Whatever the cause, it is one to watch.  Clearly something is going on, and continues to do so.  As time progresses I suspect we will be able to rule out certain possibilities but when we will know the real cause is anyone's guess.  I suspect we may have to rely on the Holmesian principle of "when you have eliminated the impossible, whatever remains, however improbable, must be the truth".