Inflow: Inverse Network Flow Watermarking for Detecting Hidden Servers

Alfonso Iacovazzi, Sanat Sarda, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

14 Scopus citations


TOR is a well-known and established anonymous network that has increasingly been abused by services distributing and hosting content, in most cases images and videos, that are illegal or morally deplorable (e.g., child pornography content). Law enforcement continually tries to identify the users and providers of such content. State of the art techniques to breach TOR's anonymity are usually based on passive and active network traffic analysis, and rely on the ability of the deanonymization entity to control TOR's edge communication. Despite this, locating hidden servers and linking illegal content with those providing and spreading this content remains an open and controversial issue. In this paper, we describe Inflow, a new technique to identify hidden servers based on inverse flow watermarking. Inflow exploits the influence of congestion mechanisms on the traffic passing through the TOR network. Inflow drops bursts of packets for short time intervals on the receiving side of a traffic flow coming from a hidden server and passing through the TOR network. Packet dropping affects the TOR flow control and causes time gaps in flows observed on the hidden server side. By controlling the communication edges and detecting the watermarking gaps, Inflow is able to detect the hidden server. Our results, obtained by means of empirical experiments performed on the real TOR network, show true positive rates in the range of 90 to 98%.

Original languageEnglish
Title of host publicationINFOCOM 2018 - IEEE Conference on Computer Communications
PublisherInstitute of Electrical and Electronics Engineers
Number of pages9
ISBN (Electronic)9781538641286
StatePublished - 8 Oct 2018
Externally publishedYes
Event2018 IEEE Conference on Computer Communications, INFOCOM 2018 - Honolulu, United States
Duration: 15 Apr 201819 Apr 2018

Publication series

NameProceedings - IEEE INFOCOM
ISSN (Print)0743-166X


Conference2018 IEEE Conference on Computer Communications, INFOCOM 2018
Country/TerritoryUnited States


  • Hidden service
  • TOR
  • Traceback
  • Watermark

ASJC Scopus subject areas

  • General Computer Science
  • Electrical and Electronic Engineering


Dive into the research topics of 'Inflow: Inverse Network Flow Watermarking for Detecting Hidden Servers'. Together they form a unique fingerprint.

Cite this