Time will Tell: Large-scale De-anonymization of Hidden I2P Services via Live Behavior Alignment (Extended Version)
Hongze Wang, Zhen Ling, Xiangyu Xu, Yumingzhi Pan, Guangchi Liu, Junzhou Luo, Xinwen Fu
TL;DR
This paper tackles the scalability challenge of de-anonymizing I2P hidden services by introducing I2perception, a framework that passively collects RouterInfo from a small set of floodfill routers to infer fine-grained router online/offline behavior, complemented by active probing of the target hidden service. It presents a five-phase workflow—low-cost RouterInfo collection, fine-grained live-behavior inference, online-session complement, live-behavior probing, and DTW-based correlation—to identify the hosting router and reveal the service's real IP. Key contributions include novel methods to identify join/leave patterns, a recovery mechanism for incomplete data, and a theoretical analysis proving the possibility of unique identification under sustained observation. Real-world experiments over eight months with 15 floodfill routers and 10 host services demonstrate high consistency, improved reliability under data loss, and near-complete deanonymization of controlled services, highlighting practical privacy risks and informing mitigations. The work underscores that user-like live-behavior can serve as a measurable side channel and motivates protocol and operational mitigations to obscure RouterInfo patterns and join/leave signals.
Abstract
I2P (Invisible Internet Project) is a popular anonymous communication network. While existing de-anonymization methods for I2P focus on identifying potential traffic patterns of target hidden services among extensive network traffic, they often fail to scale effectively across the large and diverse I2P network, which consists of numerous routers. In this paper, we introduce I2PERCEPTION a low-cost approach revealing the IP addresses of I2P hidden services. In I2PERCEPTION, attackers deploy floodfill routers to passively monitor I2P routers and collect their RouterInfo. We analyze the router information publication mechanism to accurately identify routers' join (i.e. on) and leave (i.e. off) behaviors, enabling fine-grained live behavior inference across the I2P network. Active probing is used to obtain the live behavior (i.e., on-off patterns) of a target hidden service hosted on one of the I2P routers. By correlating the live behaviors of the target hidden service and I2P routers over time, we narrow down the set of routers matching the hidden service's behavior, revealing the hidden service's true network identity for de-anonymization. Through the deployment of only 15 floodfill routers over the course of eight months, we validate the precision and effectiveness of our approach with extensive real-world experiments. Our results show that I2PERCEPTION successfully de-anonymizes all controlled hidden services.