A Method for identifying .onion associated IP addresses
This post is in theory, sound, however executing it would take real collaboration that probably doesn't exist and due to the benefits of tor to certain operations is going to be counterproductive,but, something to think about all the same
tl;drBrowsing via Tor is still fine, Hosting onions
This post is in theory, sound, however executing it would take real collaboration that probably doesn't exist and due to the benefits of tor to certain operations is going to be counterproductive, but, something to think about all the same, we will cover three methods of asking the same question, the question is two fold to get one answer
- Is the IP address up ?
- Is the .onion up ?
If the answer to questions 1 and 2 are No, then there is potential correlation of state identification, meaning if the IP address is up, and the .onion is online, and the IP address is down and the onion is down, then perhaps the .onion is hosted on that IP, that's a good starting point. especially if consistant
The Slowest most viable
way to do this is to monitor ISP/large network outages at scale, when an ISP goes down, attempt to resolve your target .onions and cross reference the state (up/down) to see if the IP and .onion are down, IP down .onion up. you're dependent on ISP's outages or large-scale network flaws (BGP Hijacks perhaps) and you have no control over when this happens, just having a system in place to react to when it does. - I'd love to hear how this might be possible in a meaningful way
The quickest least viable
way to do this would need collaboration from core networks and the governments and operators to allow for controlled outages (milliseconds of outage would be the most desirable) to create enough time to query the IP address being down and the onion being down, or up and move to the next one, perhaps ASN's at a time as a quick way to home-in, this would be a nightmare for financial networks where outages are simply not allowed, the financial overhead of failed connections would have to be either considered and accountable or deny everything ! - or instead of null routing the IP addresses you could slow them down, but this would need performance tuning, and maybe have to inject a bunch of tor nodes into the network to speed it up
Where it won't work
Load-balancing your .onion (such as here) essentially one IP goes down, the site stays up even if that one IP is associated, however, depending on tuning you might notice a timing difference that could be measured and inferred
This post has moved from my old site in an effort to separate content better - origionally posted around April 2017 - I will revisit this research 2023