Tor users can be de-anonymised by analysing router information

Mirimir mirimir@riseup.net
Sat Nov 15 15:26:44 EST 2014


On 11/15/2014 06:04 AM, Snehan Kekre wrote:
> Research undertaken between 2008 and 2014 suggests that more than 81% of Tor 
> clients can be ‘de-anonymised’ – their originating IP addresses revealed – by 
> exploiting the ‘Netflow’ 
> <http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html> technology 
> that Cisco has built into its router protocols, and similar traffic analysis 
> software running by default in the hardware of other manufacturers.
> 
> Professor Sambuddho Chakravarty 
> <https://sites.google.com/site/sambuddhochakravarty/>, a former researcher at 
> Columbia University’s Network Security Lab <http://nsl.cs.columbia.edu/> and now 
> researching Network Anonymity and Privacy at the Indraprastha Institute of 
> Information Technology in Delhi, has co-published a series of papers over the 
> last six years outlining the attack vector, and claims a 100% ‘decloaking’ 
> success rate under laboratory conditions, and 81.4% in the actual wilds of the 
> Tor network.
> 
> Chakravarty’s technique 
> <https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&> [PDF] 
> involves introducing disturbances in the highly-regulated environs of Onion 
> Router protocols using a modified public Tor server running on Linux - hosted at 
> the time at Columbia University. His work on large-scale traffic analysis 
> attacks in the Tor environment has convinced him that a well-resourced 
> organisation could achieve an extremely high capacity to de-anonymise Tor 
> traffic on an ad hoc basis – but also that one would not necessarily need the 
> resources of a nation state to do so, stating that a single AS (Autonomous 
> System) could monitor more than 39% of randomly-generated Tor circuits.
> 
> Chakravarty says: /“…it is not even essential to be a global adversary to launch 
> such traffic analysis attacks. A powerful, yet non- global adversary could use 
> traffic analysis methods […] to determine the various relays participating in a 
> Tor circuit and directly monitor the traffic entering the entry node of the 
> victim connection,”/
> 
> The technique depends on injecting a repeating traffic pattern – such as HTML 
> files, the same kind of traffic of which most Tor browsing consists – into the 
> TCP connection that it sees originating in the target exit node, and then 
> comparing the server’s exit traffic for the Tor clients, as derived from the 
> router’s flow records, to facilitate client identification.
> 
> Tor is susceptible to this kind of traffic analysis because it was designed for 
> low-latency. Chakravarty explains: /“//To achieve acceptable quality of service, 
> [Tor attempts] to preserve packet interarrival characteristics, such as 
> inter-packet delay. Consequently, a powerful adversary can mount traffic 
> analysis attacks by observing similar traffic patterns at various points of the 
> network, linking together otherwise unrelated network connections.”/
> 
> The online section of the research involved identifying ‘victim’ clients in 
> Planetlab <https://www.planet-lab.org/> locations in Texas, Belgium and Greece, 
> and exercised a variety of techniques and configurations, some involving control 
> of entry and exit nodes, and others which achieved considerable success by only 
> controlling one end or the other.
> 
> Traffic analysis of this kind does not involve the enormous expense and 
> infrastructural effort that the NSA put into their FoxAcid Tor redirects 
> <http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity>, 
> but it benefits from running one or more high-bandwidth, high-performance, 
> high-uptime Tor relays.
> 
> The forensic interest 
> <https://www.cryptocoinsnews.com/how-fbi-illegally-hacked-silk-road-servers-find-alleged-pirate-ross-ulbricht/> in 
> quite how international cybercrime initiative ‘Operation Onymous’ defied Tor’s 
> obfuscating protocols to expose 
> <http://thestack.com/operation-onymous-seize-hundreds-underground-drug-weapons-cybermarkets-071114> hundreds 
> of ‘dark net’ sites, including infamous online drug warehouse Silk Road 2.0, has 
> led many to conclude that the core approach to deanonymisation of Tor clients 
> depends upon becoming a ‘relay of choice’ – and a default resource when 
> Tor-directed DDOS attacks put ‘amateur’ servers out of service 
> <http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/>.

I also recommend his PhD thesis:

Sambuddho Chakravarty (2014) Traffic Analysis Attacks and Defenses in
Low Latency Anonymous Communication
http://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf




More information about the cypherpunks mailing list