[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Tor users can be de-anonymised by analysing router information

To: [email protected]
Subject: Tor users can be de-anonymised by analysing router information
From: [email protected] (Mirimir)
Date: Sat, 15 Nov 2014 13:26:44 -0700
In-reply-to: <[email protected]>
References: <[email protected]>

On 11/15/2014 06:04 AM, Snehan Kekre wrote:
> Research undertaken between 2008 and 2014 suggests that more than 81% of Tor 
> clients can be â??de-anonymisedâ?? â?? their originating IP addresses revealed â?? by 
> exploiting the â??Netflowâ?? 
> <http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html> technology 
> that Cisco has built into its router protocols, and similar traffic analysis 
> software running by default in the hardware of other manufacturers.
> 
> Professor Sambuddho Chakravarty 
> <https://sites.google.com/site/sambuddhochakravarty/>, a former researcher at 
> Columbia Universityâ??s Network Security Lab <http://nsl.cs.columbia.edu/> and now 
> researching Network Anonymity and Privacy at the Indraprastha Institute of 
> Information Technology in Delhi, has co-published a series of papers over the 
> last six years outlining the attack vector, and claims a 100% â??decloakingâ?? 
> success rate under laboratory conditions, and 81.4% in the actual wilds of the 
> Tor network.
> 
> Chakravartyâ??s technique 
> <https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&;> [PDF] 
> involves introducing disturbances in the highly-regulated environs of Onion 
> Router protocols using a modified public Tor server running on Linux - hosted at 
> the time at Columbia University. His work on large-scale traffic analysis 
> attacks in the Tor environment has convinced him that a well-resourced 
> organisation could achieve an extremely high capacity to de-anonymise Tor 
> traffic on an ad hoc basis â?? but also that one would not necessarily need the 
> resources of a nation state to do so, stating that a single AS (Autonomous 
> System) could monitor more than 39% of randomly-generated Tor circuits.
> 
> Chakravarty says: /â??â?¦it is not even essential to be a global adversary to launch 
> such traffic analysis attacks. A powerful, yet non- global adversary could use 
> traffic analysis methods [â?¦] to determine the various relays participating in a 
> Tor circuit and directly monitor the traffic entering the entry node of the 
> victim connection,â??/
> 
> The technique depends on injecting a repeating traffic pattern â?? such as HTML 
> files, the same kind of traffic of which most Tor browsing consists â?? into the 
> TCP connection that it sees originating in the target exit node, and then 
> comparing the serverâ??s exit traffic for the Tor clients, as derived from the 
> routerâ??s flow records, to facilitate client identification.
> 
> Tor is susceptible to this kind of traffic analysis because it was designed for 
> low-latency. Chakravarty explains: /â??//To achieve acceptable quality of service, 
> [Tor attempts] to preserve packet interarrival characteristics, such as 
> inter-packet delay. Consequently, a powerful adversary can mount traffic 
> analysis attacks by observing similar traffic patterns at various points of the 
> network, linking together otherwise unrelated network connections.â??/
> 
> The online section of the research involved identifying â??victimâ?? clients in 
> Planetlab <https://www.planet-lab.org/> locations in Texas, Belgium and Greece, 
> and exercised a variety of techniques and configurations, some involving control 
> of entry and exit nodes, and others which achieved considerable success by only 
> controlling one end or the other.
> 
> Traffic analysis of this kind does not involve the enormous expense and 
> infrastructural effort that the NSA put into their FoxAcid Tor redirects 
> <http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity>, 
> but it benefits from running one or more high-bandwidth, high-performance, 
> high-uptime Tor relays.
> 
> The forensic interest 
> <https://www.cryptocoinsnews.com/how-fbi-illegally-hacked-silk-road-servers-find-alleged-pirate-ross-ulbricht/> in 
> quite how international cybercrime initiative â??Operation Onymousâ?? defied Torâ??s 
> obfuscating protocols to expose 
> <http://thestack.com/operation-onymous-seize-hundreds-underground-drug-weapons-cybermarkets-071114> hundreds 
> of â??dark netâ?? sites, including infamous online drug warehouse Silk Road 2.0, has 
> led many to conclude that the core approach to deanonymisation of Tor clients 
> depends upon becoming a â??relay of choiceâ?? â?? and a default resource when 
> Tor-directed DDOS attacks put â??amateurâ?? servers out of service 
> <http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/>.

I also recommend his PhD thesis:

Sambuddho Chakravarty (2014) Traffic Analysis Attacks and Defenses in
Low Latency Anonymous Communication
http://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf

Follow-Ups:
- Tor users can be de-anonymised by analysing router information
  - From: [email protected] (odinn)

References:
- Tor users can be de-anonymised by analysing router information
  - From: [email protected] (Snehan Kekre)

Prev by Date: Tor users can be de-anonymised by analysing router information
Next by Date: Tor users can be de-anonymised by analysing router information
Previous by thread: Tor users can be de-anonymised by analysing router information
Next by thread: Tor users can be de-anonymised by analysing router information
Index(es):
- Date
- Thread