Traffic Correlation Attacks against Anonymity on Tor

Pierluigi Paganini September 03, 2013

The researchers led by Aaron Johnson of the Naval Research Laboratory published the paper on Traffic Correlation Attacks against Anonymity on Tor.

Anonymity on Tor network is the primary reason for the use of the popular network, hacktivists, whistleblowers, hackers, and cybercriminals are enticed by the possibility to be not traceable. Straying far from prying eyes is the primary attraction for the user of  Tor project.

In reality many researchers all over the world are working to get over Anonymity on Tor trying to find a flaw that allows the revelation of user’s identity, many experts have addressed the software components used to access the networks (e.g. Browsers, plugin) another searching for vulnerability in the routing protocol or in the encryption implemented.

A group of researchers from Georgetown University and the US Naval Research Laboratory (USNRL) published a study that dismantles the certainty of Anonymity on Tor network, the experts sustains that it is possible to identify Tor users. In reality the group of experts presented their POC on Anonymity on Tor network and capability to track Tor users in November 2012 during the November’s Conference on Computer and Communications Security (CCS) in Berlin.

The researchers led by Aaron Johnson of the Naval Research Laboratory published the paper titled “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries”, the document was also posted on Cryptome months later.

The experts detailed the known Traffic Correlation Attacks against Onion routing that is based on the concept that a persistent adversary can monitor a user’s traffic as it enters and leaves the Tor network revealing user’s identity.

“… correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. Later work by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor.”

“To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths”, “Tor users are far more susceptible to compromise than indicated by prior work”  “We create an empirical model of Tor congestion, identify novel attack vectors, and show that it too is more vulnerable than previously indicated.” the paper states.

The group of researchers developed the TorPS simulator for the analysis of traffic correlation in the live TOR network, it simulates path selection in Tor demonstrating that under specific conditions it is possible to identify a Tor user with a 95 percent certainty.

“An adversary that provides no more bandwidth than some volunteers do today can deanonymize any given user within three months of regular Tor use with over 50 percent probability and within six months with over 80 percent probability. We observe that use of BitTorrent is particularly unsafe, and we show that long-lived ports bear a large security cost for their performance needs. We also observe that the Congestion-Aware Tor proposal exacerbates these vulnerabilities,” the paper states.

In other world user’s internet experience could vary the likelihood to be identified, BitTorrent ordinary users, for example, are more exposed to identification.

Tor is known to be insecure against an adversary that can observe a user’s traffic entering and exiting the anonymity network. Quite simple and efficient techniques can correlate traffic at these separate locations by taking advantage of identifying traf-fic patterns” “As a result, the user and his destination may beidentified, completely subverting the protocol’s security goals” added the researchers.

Johnson’s team assumes that an adversary has access either to Internet exchange ports or controls a number of Autonomous Systems, could reveal our identity, fortunately, those capabilities are not easy to gain for a trivial hacker but a state-sponsored hacker or law enforcement with the complicity of an ISP can do it.

The results confirm that Tor routing model is exposed to great risks from traffic correlation than previous studies suggested, an adversary that provides no more bandwidth than some volunteers do today is able to  deanonymize any given user within three months of regular Tor use with over 50% probability and within six months with over 80%probability.

Current Tor users should carefully consider it.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Anonymity on Tor, Anonymity)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment