|Alfonso Iacovazzi||Singapore University of Technology and Design, Singapore|
|Sanat Sarda||Singapore University of Technology and Design, Singapore|
|Yuval Elovici||Ben Gurion University, Israel|
TOR is a well-known and established anonymous network that has increasingly been abused by services distributing and hosting content, in most cases images and videos, that are illegal or morally deplorable (e.g., child pornography content). Law enforcement continually tries to identify the users and providers of such content. State of the art techniques to breach TOR's anonymity are usually based on passive and active network traffic analysis, and rely on the ability of the deanonymization entity to control TOR's edge communication. Despite this, locating hidden servers and linking illegal content with those providing and spreading this content remains an open and controversial issue. In this paper, we describe INFLOW, a new technique to identify hidden servers based on inverse flow watermarking. INFLOW exploits the influence of congestion mechanisms on the traffic passing through the TOR network. INFLOW drops bursts of packets for short time intervals on the receiving side of a traffic flow coming from a hidden server and passing through the TOR network. Packet dropping affects the TOR flow control and causes time gaps in flows observed on the hidden server side. By controlling the communication edges and detecting the watermarking gaps, INFLOW is able to detect the hidden server. Our results, obtained by means of empirical experiments performed on the real TOR network, show true positive rates in the range of 90 to 98%.