13

A few months ago when I started to experiment with bitcoin I came across The Silkroad (only accessible via Tor)

For those who do not know what Tor is and who do not want to waste their time installing and checking what is there - you can read this and this comprehensive paper regarding The Silkroad.

In the paper, researchers stated that as much as USD 1.9 million/month is circulated on The Silkroad and most of this money are generated by drug products.

My question is - how it is possible that this site (aside from being completely illegal) was not closed? At one point in time it was quite notorious and there was even a hearing in the senate, but nothing came of it.

What makes onion domains so special that even knowing it carries large amounts of narcotics-related transactions it is still impossible to close it.

Salvador Dali
  • 1,745
  • 1
  • 19
  • 32
  • Probably, because it is FBI's fake. It is hard to close what FBI does. – trankvilezator Sep 22 '13 at 15:48
  • 4
    Do you have anything to support this strong argument? Conspiracy theory is nice, but it is much nicer with at least some support – Salvador Dali Sep 22 '13 at 17:27
  • https://en.wikipedia.org/wiki/Marxist%E2%80%93Leninist_Party_of_the_Netherlands it is the similar. Just try to browse Tor hidden services, you do find nothing. There are no yet hidden-services, this is pre-Alpha technology under hard control of special services. **probably** – trankvilezator Sep 22 '13 at 17:51
  • While I cannot prove @trankvilezator's claim with Silkroad he makes a very good point. The FBI has in the past continued hosting services it has seized. By doing so they attempt to collect information on additional offenders. More details on such procedures can be found on a previous answer I gave at http://security.stackexchange.com/a/119153/76865 I imagine services like child porn may only be ran briefly to minimize the further victimization. But a site like Silkroad makes for a great longterm trap given it's notoriety as a "safe" haven. – Bacon Brad Apr 22 '16 at 01:20
  • Essentially because .onion hosts is practically indistinguishable from intermediate nodes. If you control a large number of intermediate nodes, then maybe you can do traffic analysis, but this is even harder than exit node attacks. – Lie Ryan Apr 22 '16 at 13:54

2 Answers2

18

Have you seen the Tor document on how a Tor Hidden Service works?

Essentially, in the same way that it's hard to find the source of traffic from a Tor exit node, it's hard to find the server operating a Tor Hidden Service. Authorities can't shut down the server, because they can't find out where it is.

The .onion TLD is not really a TLD (so there is no domain registrar to shut down), but it's recognized by Tor.

There are other methods for tracking it down - checking cash flows, poorly anonymised Bitcoin transactions, even good "old-fashioned" anonymous tips to the police. So far it seems none have been sufficient.

Edit: Ah, I think I understand the confusion. You're expecting that by flooding the Tor network with malicious exit nodes, you'll eventually create one that's used for the "exit" to a .onion. You'll know it's the target (e.g. Silkroad) because you'll be able to see the traffic contents. This does not work against .onion hosts, because unlike an exit node connection to a "normal" host on the public internet, traffic to .onion hosts is end-to-end encrypted.

So even a malicious exit node does not know that it's connected to the Silkroad host, because it can't see the traffic content.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • 1
    I think that I pretty much understand how TOR works. The thing that right now it is up to 3000 or TOR relays. If the question stands to narcotraffic in USA on such a scale (you have to admit that 1.9 mln/month is rather a big number). And in my opinion it is possible to create like 6000 additional TOR relay operating by FBI or whatever to be able to find out the address. – Salvador Dali Dec 04 '12 at 22:56
  • 3
    I'm not sure your understanding is complete. Even if a "malicious" Tor relay happens to be an introduction point that the hidden service of interest connects to, it still does not know the IP address of the service. Should a large number of "malicious" Tor nodes be introduced, it does degrade the privacy protection to some degree, but this would affect all privacy, and not just Tor hidden services. – scuzzy-delta Dec 04 '12 at 23:08
  • For sure it is not complete. But for me that sounds rather bizarre that the last relay does not know to whom exactly it connects. I would really appreciate if you will elaborate on this. One more time, in my response I didn't want to be rude, I just stated that I think I know how it works and I thought that just TOR should not be enough if the issue is drug-traffic. – Salvador Dali Dec 04 '12 at 23:31
  • 1
    The last relay does know. But the Introduction Points and the Relay Points are not necessarily the last relays. Does that help? – scuzzy-delta Dec 05 '12 at 01:21
  • Exactly that was my misunderstanding. I didn't know that the connection to .onion is encrypted. +1 Can you also point where I can read about this in details? – Salvador Dali Dec 05 '12 at 02:53
  • From https://www.torproject.org/docs/hidden-services.html.en "The rendezvous point simply relays (end-to-end encrypted) messages from client to service and vice versa." Fuller detail in https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt – scuzzy-delta Dec 05 '12 at 03:19
  • 1
    If you controlled a significant number of exit nodes, couldn't you also connect a significant number of clients and have them issue a ton of requests to a particular `.onion` address? Best case, you could look for identical requests exiting. Worst case, you could conduct traffic analysis. – Stephen Touset Jan 21 '13 at 23:55
2

When the FBI finally found the server it was due to the silkroad server leaking an IP address via captcha. The FBI was able to use that to track down the hosting provider. They showed up with a warrant and grabbed one of the drives. The Raid controller happily re-built the mirror onto a fresh drive and the operators never noticed. The FBI then had an unencrypted copy of the server and were able to use that to track down The Dread Pirate Roberts (who did most of his work out of a cafe in San Francisco CA). Of additional note a stack overflow question was one of the clues which eventually tied the pseudonym to the man.

Great writeup in wired and (pt 2).

jorfus
  • 441
  • 3
  • 6
  • 3
    I believe there is a lot of doubt surrounding the idea that there was a leaking IP address over the captcha. Like many other cases, it does not seem unlikely that the FBI is giving out false information on that front due to parallel construction. – forest Apr 22 '16 at 01:12
  • 1
    That's always a possibility. There is evidence that parallel construction is often used as a mask intelligence gathered on US citizens (because that's illegal and violates the 4th amendment). However, in this case the simple explanation could be correct. The Wired article mentions a reddit thread where a user pointed out the captcha problem which tipped the FBI about where and how to look. It's also a viable explanation from a technical standpoint. – jorfus Apr 22 '16 at 18:04
  • I don't remember the details, but I recall there were major mistakes in that explanation which made it impossible. I don't just say this because parallel construction is a possibility, but because their explanation itself had problems. – forest Apr 24 '16 at 01:49
  • And this is why if you're hosting a Tor hidden service it's a good idea to put it behind a firewall host that does the actual Tor magic - so even if the server is compromised all it will not be able to access the open internet and reveal its IP. – André Borie Apr 22 '17 at 14:59