Context and assumptions

Setting up the scene

Alice wishes to start hosting a coordination platform for her activist group, but she doesn't want to host the platform herself for the following reasons:

• Shes does not want to have incriminating data in her house
• She is unable to provide the required level if high availability for her group's safety and operational standards
• She has limited bandwidth/electricity to devote to her cause

She gets in touch with Bob, owner and operator of Bob's friendly datacenter, and orders from him a VPS (Virtual Private Server). Bob's pretty open-minded so Alice is free to use whatever OS she wants, gets a public IP.

Enters Leo

One day Bob's phone rings, it's Leo calling! Leo asks Bob to confirm that he indeed has Alice as a customer. Without further ado, Leo pays Bob a visit! After entering the premises and showing a government agency badge, Leo asks for complete access to Bob's infrastructure and binds him with a gag order to make sure no one hears about his investigation. Even if Bob is sympathetic to Alice or wishes to protect his customers he would now run afoul of his country's laws if he were to warn them. Leo might have been nice to him but he is not to be trifled with...

Leo sets up shop

Commandeering an office in Bob's datacenter, Leo gets to work. He has plenty of options:

1. Network sniffing: Leo can capture and log ALL trafic related to Alice's activity inside Bob's datacenter, so he will know the IP of everyone interacting with her platform
2. Firmware/hardware attacks: during maintenance windows, Leo could tamper with the BIOS/UEFI of Alice's server (if she had chosen a bare-metal option), or with her server's storage devices in order to deactivate encryption
3. Memory attacks: Leo is able to take snapshots of Alice's VPS RAM to gather information about her activities. If she had chosen a bare-metal server he could cut the power, extract and refrigerate the RAM sticks in order to retrieve the data, but such an attack would be very conspicuous

How can high availability help?

In the above scenario if the onion service operator had setup a redundant, highly available server then connections would have been seamlessly sent to another server in the redundancy pool, thus preventing the adversary from extracting location information based on their operation. This works best with a server in a different country or region, making a coordinated attack by several adversaries a requirement in order to use this method for deanonymization.

Adversary Attack Flow

Below is a chart depicting an adversary attack flow. As shown, high availability will prevent the adversary from progressing beyond their initial step of uptime-based target acquisition.


As you can see the adversarie's playbook is quite simple:

1. Identify a list of potential suspects
2. Cut them off the internet
3. Check whether this action made the hidden service unreachable

Those actions are easily perpetrated by law enforcement as they only require:

• DSLAM level access to the internet backbone used by the suspects (impacting a perimeter like a city block)
• City block level access to the power grid in order to run disruptive actions

Both of those are trival to obtain for LEOs (law enforcement officers).


This Diagram shows where the attack takes place and how a redundant setup prevent such attacks from confirming the physical location of the hidden service.

In conclusion, your hidden service is one downtime away from having its location disclosed to an adversary, so you need to make sure it has High Availability