Doxbin’s Nachash On Operation Onymous (P.2)

Posted by: Zubair Muadh November 12, 2014

First Part – #Nashcash Tag – Read the other posts related to Operation Onymous Here

Last week the FBI took down 410 .onion sites that belong to 27 different sites that offered services and products ranging from Class A drugs to hitmen-for-hire with 16 other Europol nations as a part of operation Onymous.

Many operators are still at large despite the FBI’s takedown of these sites. One of the co-operators of Doxbin, a site that allowed for people to post personal identifying information used for malicious purposes shared details of the sites takedown with Tor developers in a bid to help them find ways to protect other users of the Tor network.

In an email entitled “yes, hello, internet supervillain here” to tor-dev the operator who goes by the name Nachash said that his server, which a virtual private server on the German hosting service Hetzner.

According to the logs that he sent tor-dev between August 21^st and August 28^th there where a stream of requests that were preceded by “%5c%22” which in PHP requests would be parsed as a quotation mark by PHP code. The quotes in the requests appear to be URLs for websites like Twitter and Hack forums whereas in reality they were loaded with fake subdirectories like “/old/code/fail”

With a flood of these requests, traffic was pushed up to 1.7 million page requests which is 3 times the regular traffic the site received. The same thing repeated a month later and nachash said he began redirecting the requests to another Tor hidden service site (the hidden wiki’s child pornography sites directory)  also added a grip -v”—the “invert match” feature for the GNU grep command, which excludes a specific pattern from output—“to my log report script in order to filter out the noise,” nachash added. “[this was] possibly a mistake, but we both tailed logs and watched for something like a different attack style that the DDoS was being used to cover and never noticed anything.”

Nachash also tweeted a graph showing Doxbins traffic history:

A theory that has surfaced is that law enforcements attack was a bad to force the sites .onion addresses to follow paths that went over the nodes that where setup by law enforcement. By flooding the circuits through secure nodes law enforcements made it possible to connect only through tor nodes that they controlled. Ofcourse this theory begs the question how many nodes do the combined law enforcement of the nations involved control since there are just over 6000 tor nodes.

Whilst the take down of Silk Road and Doxbin won’t have a major implications on the drug market, it could have serious consequences when it comes to the security of the Tor network in general. If governments could force tor traffic to be forced through nodes that they control it could present serious privacy concerns for whistle-blowers, political activists and dissidents, journalists, and others trying to avoid the eyes of oppressive regimes.

It’s important to keep in mind that we do not know for certain what method exactly law enforcement used since nothing much has been revealed by them yet. Tor Devs will most likely be keen to hear what law enforcement have to say regarding their method of taking down the sites in a bid to ensure the security of the tor network and the anonymity of its users.

Updated: 2014-11-12