Discovering onion services through circuit fingerprinting attacks

Tor onion services provide anonymous service to clients using the Tor browser without disclosing the real address of the server. But an adversary could use a circuit fingerprinting attack to classify circuit types and discovers the network address of the onion service. Recently, Tor has used padding defenses to inject dummy cells to protect against circuit fingerprinting attacks. But we found that circuits still expose much information to the adversary. In this paper, we present a novel circuit fingerprinting attack, which divides the circuit into the circuit generated by the client and the circuit generated by the onion service. To get a more effective attack, we tried three state-of-the-art classification models called SVM, Random Forest and XGBoost, respectively. As the best performance, we attain 99.99% precision and 99.99% recall when using Random Forest and XGBoost classification models, respectively. And we also tried to classify circuit types using our features and the classification model mentioned above, which was first proposed by Kwon. The best performance was achieved with 99.99% precision and 99.99% recall when using the random forest classifier in circuit type classification. The experimental results show that we achieved highly accurate circuit fingerprinting attacks even when application-layer traffic is identical and some type of circuits using the defenses provided by Tor.(c) 2022 The Author(s). Published by Elsevier B.V. on behalf of Shandong University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).