TOR Anononymity No Longer Secure

[-SpectraL]

Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.

Professor Sambuddho Chakravarty, a former researcher at Columbia University’s Network Security Lab and now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, has co-published a series of papers over the last six years outlining the attack vector, and claims a 100% ‘decloaking’ success rate under laboratory conditions, and 81.4% in the actual wilds of the Tor network.

Chakravarty’s technique [PDF] involves introducing disturbances in the highly-regulated environs of Onion Router protocols using a modified public Tor server running on Linux - hosted at the time at Columbia University. His work on large-scale traffic analysis attacks in the Tor environment has convinced him that a well-resourced organisation could achieve an extremely high capacity to de-anonymise Tor traffic on an ad hoc basis – but also that one would not necessarily need the resources of a nation state to do so, stating that a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits.

Chakravarty says: “…it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods […] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection,”

The technique depends on injecting a repeating traffic pattern – such as HTML files, the same kind of traffic of which most Tor browsing consists – into the TCP connection that it sees originating in the target exit node, and then comparing the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to facilitate client identification.


http://thestack.com/chakravarty-tor-traffic-analysis-141114

[aldra]

timing attack refined

again, it looks like this only affects clients trying to access standard internet sites as opposed to hidden services as it relates to correlation of data between controlled entry and exit nodes - the bit on the end about the multiple-hidden service raid is irrelevant.

[Goatwhore]

Article is nothing but sensationalism. They were able to deanonymize 81% of the traffic they analyzed under lab conditions, but if you actually read the paper, the author himself discusses the practical limitations of this attack.

Also see this response from the Tor devs:

https://blog.torproject.org/blog/traffic-correlation-using-netflows

[aldra]

yeah, skimming over the included pdfs it looks as though he's getting an 80% success rate when he can get access to netflow data... which will not be the majority of the time in the real world

[-SpectraL]

Article is nothing but sensationalism. They were able to deanonymize 81% of the traffic they analyzed under lab conditions, but if you actually read the paper, the author himself discusses the practical limitations of this attack.

Also see this response from the Tor devs:

https://blog.torproject.org/blog/traffic-correlation-using-netflows

Actually, they got a 100% rate in the Lab and 81% in the wild, and that article you posted says nothing concrete at all to dispute it. More like just a lot of sputtering and denials.

[otangabang]

I wonder what anononononononononononymous thinks about this. Lol, I bet you didn't even do that on purpose.

is it me or is this not news at all beyond the specifics of the case study? Comparing traffic via injections is the way it was always theoretically possible to unmask users at exit nodes, the article just says it's easier to do than previously thought. Basically if the parameters are perfect, it's likely you can unmask traffic. Fucking "news" all right.

Javascript is a much bigger threat to anonymity. Whonix or even a fucking VPN (before or after tor) remedies these problems.

 

[komokazi]

Fear-mongering.

[Goatwhore]

The most significant problem I see with this attack is the 6.4% rate of false positives. Assuming ~1000 users are connected to a given entry guard, it means that even if the client side traffic is visible to the operator of the rogue exit node, he will only be able to narrow it down to 64 possible routes.

More refinement can probably be done, but it seems like Tor's load balancing techniques already defeat timing confirmation to an extent.