HelpNet Security: They set up honey onions (honions), a framework able to detect when a Tor node with HSDir capability has been modified to snoop into the hidden services that it currently hosts. by Zeljka Zorz
'To cover all or almost all HSDirs on the network, they set up 1500 honions, which logged all requests received from the various HSDirs. By analyzing the nature of these requests and when they were made, they were capable of identifying potentially malicious HSDirs.
'“Most of the visits were just querying the root path of the server and were automated. However, we identified less than 20 possible manual probing, because of a query for favicon.ico, the little icon that is shown in the browser, which the Tor browser requests. Some snoopers kept probing for more information even when we returned an empty page,” the researchers shared.
'There was quite a diversity among the detected attack vectors: forced hidden services indexing, SQL injections, username enumeration, cross-site scripting, targeting of Ruby on Rails framework, etc.
'It’s interesting to note (but should not have been unexpected) that of the 110+ malicious HSDir more than 70% were hosted on cloud infrastructure, which makes identifying their operators much more difficult.'