In this paper, we explore traffic analysis attacks on Tor that are conducted solely with middle relays rather than with relays from the entry or exit positions. We create a methodology to apply novel Tor circuit and website fingerprinting from middle relays to detect onion service usage; that is, we are able to identify websites with hidden network addresses by their traffic patterns. We also carry out the first privacy-preserving popularity measurement of a single social networking website hosted as an onion service by deploying our novel circuit and website fingerprinting techniques in the wild. Our results show: (i) that the middle position enables wide-scale monitoring and measurement not possible from a comparable resource deployment in other relay positions, (ii) that traffic fingerprinting techniques are as effective from the middle relay position as prior works show from a guard relay, and (iii) that an adversary can use our fingerprinting methodology to discover the popularity of onion services, or as a filter to target specific nodes in the network, such as particular guard relays.
@inproceedings{insidejob-ndss2018,
title = {Inside Job: Applying Traffic Analysis to Measure Tor from Within},
author = {Jansen, Rob and Juarez, Marc and Galvez, Rafael and Elahi, Tariq and Diaz, Claudia},
booktitle = {Network and Distributed System Security Symposium},
year = {2018},
doi = {10.14722/ndss.2018.23261},
}