Skip to Main Content
We present an attack to locate hidden servers in anonymous common networks. The attack is based on correlating the flow of messages that arrives to a certain server with the flow that is created by the attacker client. The fingerprint is constructed by sending requests, each request determines one interval. To improve the performance a prediction of the time of arrival is done for each request. We propose an optimal detector to decide whether the flow is fingerprinted, based on the Neyman-Pearson lemma. The usefulness of our algorithm is shown for the case of locating a Tor Hidden Service (HS), where we analytically determine the parameters that yield a fixed false positive probability and compute the corresponding detection probability. Finally, we empirically validate our results with a simulator and with a real implementation on the live Tor network. Results show that our algorithm outperforms any other flow watermarking scheme. Our design also yields a small detectability.