Towards Comprehensive Security Analysis Of Hidden Services Using Binding Guard Relays

Tor Hidden Service is a widely used tool designed to protect the anonymity of both client and server. In order to prevent the predecessor attacks, Tor introduces the guard selection algorithms. While the long-term binding relation between hidden service and guard relay increases the cost of existing predecessor attacks, it also gives us a new perspective to analyze the security of hidden services.We utilize a novel method which can reveal guard relays for multiple hidden services. The method helps us to reveal guard relays for 13604 hidden services, and observe their binding relations for 7 months. Based on the binding relations, we conduct the first protocol-level measurement and family analysis of hidden services, and discover two types of families about hidden services, named onion family and onion-node family.Our measurement reveals 263 onion families in Tor network, and the analysis shows that onion addresses in these families tend to use common prefixes or meaningful prefixes. By analyzing the webpage of these hidden services, we surprisingly find a super onion family that contains 121 hidden services, most of which runs a fraudulent website of bitcoin. Additionally, we also discover 49 onion-node families which have abnormal binding relations between hidden services and their guard relays, including expire bindings, bridge bindings and middle node bindings.