Traffic Correlation Attacks against Anonymity on Tor

Sep 6, 2013, 11:30 am EST

The researchers led by Aaron Johnson of the Naval Research Laboratory published the paper on Traffic Correlation Attacks against Anonymity on Tor.

Anonymity on Tor network is the primary reason for the use of the popular network, hacktivists, whistle blowers, hackers and cybercriminals are enticed by the possibility to be not traceable. Straying far from prying eyes is the primary attraction for the user of Tor project.

In reality many researchers all over the world are working to get over Anonymity on Tor trying to find a flaw that allows the revelation of user’s identity, many experts have addressed the software components used to access the networks (e.g. Browsers, plugin) other searching for vulnerability in the routing protocol or in the encryption implemented.

A group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL) published a study that dismantles the certainty of Anonymity on Tor network, the experts sustains that it is possible to identify Tor users. In reality the group of experts presented their POC on Anonymity on Tor network and capability to track Tor users in November 2012 during the November’s Conference on Computer and Communications Security (CCS) in Berlin.

The researchers led by Aaron Johnson of the Naval Research Laboratory published the paper titled “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries”, the document was also posted on Cryptome months later.

The experts detailed the known Traffic Correlation Attacks against Onion routing that is based on the concept that a persistent adversary can monitor a user’s traffic as it enters and leaves the Tor network revealing user’s identity.

“… Correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. Laterwork by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor.”

“To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths”, “Tor users are far more susceptible to compromise than indicated by prior work”  “We create an empirical model of Tor congestion, identify novel attack vectors, and show that it too is more vulnerable than previously indicated.” the paper states.

The group of researchers developed the TorPS simulator for the analysis of traffic correlation in the live TOR network, it simulates path selection in Tor demonstrating that under specific conditions it is possible to identify a Tor user with a 95 percent certainty.

“An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability. We observe that use of BitTorrent is particularly unsafe, and we show that long-lived ports bear a large security cost for their performance needs. We also observe that the Congestion-Aware Tor proposal exacerbates these vulnerabilities,” the paper states.

In other world user’s internet experience could vary the likelihood to be identified, BitTorrent ordinary users for example are more exposed to identification.

“Tor is known to be insecure against an adversary that can observe a user’s traffic entering and exiting the anonymity network. Quite simple and efficient techniques can correlate traffic at these separate locations by taking advantage of identifying traf-fic patterns” “As a result, the user and his destination may beidentified, completely subverting the protocol’s security goals” added the researchers.

Image 1

Johnson’s team assumes that an adversary has access either to Internet exchange ports, or controls a number of Autonomous Systems, could reveal our identity, fortunately those capabilities are not easy to gain for a trivial hacker but a state sponsored hacker or law enforcement with complicity of an ISP can do it.

The results confirm that Tor routing model is exposed to great risks from traffic correlation than previous studies suggested, an adversary that provides no more bandwidth than some volunteers do today is able to  deanonymize any given user within three months of regular Tor use with over 50% probability and within six months with over 80%probability.

Current Tor users should carefully consider it.

(Source: CDM, Pierluigi Paganini, Editor and Chief )

September 6, 2013

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

11th Anniversary Exclusive Top Global CISO Conference & Innovators Showcase - October - 2023