Napping Guard: Deanonymizing Tor Hidden Service in a Stealthy Way

In this paper, we propose the Napping Guard attack which can deanonymize hidden services in a stealthy way. The key insight of our method is utilizing a design flaw of hidden service's requests to build a simplex covert channel, which can send message from a malicious guard relay to the collusive Client-OP. With the help of this covert channel, the guard relay delivers the actual IP address of the hidden service to the collusive Client-OP. Considering the Client-OP knows the onion address of hidden service, the adversary is able to deanonymize the hidden service through correlating the actual IP address and onion address on Client-OP. In particular, compared with previous attacks, our covert channel utilizes latency signal instead of traffic signal, and eliminates the dependency of malicious Rend-Point, so as to achieve a better concealment and lower cost. Our experiment shows that the covert channel is reliable that has the precision and recall about 99.35% and 99.19%. In addition, we also propose a mitigation of Napping Guard attack, and report the design flaw to the Tor project.