81% Of Tor Users Can Be De-Anonymised By Analysing Router Information, Research Indicates

Discussion in 'Industry News' started by Catalyst, Nov 18, 2014.

  1. Catalyst

    Catalyst Audiosexual

    Joined:
    May 28, 2012
    Messages:
    5,810
    Likes Received:
    801
    [​IMG]
    Research undertaken between 2008 and 2014 suggests that more than 81% of Tor clients can be ‘de-anonymised’ – their originating IP addresses revealed – by exploiting the ‘Netflow’ technology that Cisco has built into its router protocols, and similar traffic analysis software running by default in the hardware of other manufacturers.

    Professor Sambuddho Chakravarty, a former researcher at Columbia University’s Network Security Lab and now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, has co-published a series of papers over the last six years outlining the attack vector, and claims a 100% ‘decloaking’ success rate under laboratory conditions, and 81.4% in the actual wilds of the Tor network.

    Chakravarty’s technique [PDF] involves introducing disturbances in the highly-regulated environs of Onion Router protocols using a modified public Tor server running on Linux - hosted at the time at Columbia University. His work on large-scale traffic analysis attacks in the Tor environment has convinced him that a well-resourced organisation could achieve an extremely high capacity to de-anonymise Tor traffic on an ad hoc basis – but also that one would not necessarily need the resources of a nation state to do so, stating that a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits.

    Chakravarty says: “…it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods […] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection,”

    The technique depends on injecting a repeating traffic pattern – such as HTML files, the same kind of traffic of which most Tor browsing consists – into the TCP connection that it sees originating in the target exit node, and then comparing the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to facilitate client identification.
    [​IMG]
    Tor is susceptible to this kind of traffic analysis because it was designed for low-latency. Chakravarty explains: “To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.”

    The online section of the research involved identifying ‘victim’ clients in Planetlab locations in Texas, Belgium and Greece, and exercised a variety of techniques and configurations, some involving control of entry and exit nodes, and others which achieved considerable success by only controlling one end or the other.
    [​IMG]
    Traffic analysis of this kind does not involve the enormous expense and infrastructural effort that the NSA put into their FoxAcid Tor redirects, but it benefits from running one or more high-bandwidth, high-performance, high-uptime Tor relays.

    The forensic interest in quite how international cybercrime initiative ‘Operation Onymous’ defied Tor’s obfuscating protocols to expose hundreds of ‘dark net’ sites, including infamous online drug warehouse Silk Road 2.0, has led many to conclude that the core approach to deanonymisation of Tor clients depends upon becoming a ‘relay of choice’ – and a default resource when Tor-directed DDOS attacks put ‘amateur’ servers out of service.

    Source: The Stack
     
  2.  
  3. monochrom3

    monochrom3 Ultrasonic

    Joined:
    Jul 3, 2014
    Messages:
    82
    Likes Received:
    21
    Interesting post, thanks for that. If you're not up to anything _really_ illegal it might not be a big problem if Tor isn't 100% safe, but 81.4% chance of deanonymizing... damn.
     
  4. If there's a will there's away, for both good and for evil, the good hopefully trumping the other every time.
     
  5. nadirtozenith

    nadirtozenith Rock Star

    Joined:
    Nov 20, 2011
    Messages:
    397
    Likes Received:
    325
    Location:
    navigating between nadir zenith vectoring upwards
    :sad: *yes* :wink: :mates:
     
  6. sideshowbob

    sideshowbob Producer

    Joined:
    Apr 17, 2014
    Messages:
    781
    Likes Received:
    145
    Location:
    Brave New World
    Just in case ...

    Tor is everything but an instant solution for anonymity. It requires a certain "geekness".
    First of all a VPN without logging.
    2. A own operating sys (Linux/BSD), can be virtual. Tails should make it clear if you`re unfamiliar with it, I recommend to build your own.
    3. You really need to "dig that stuff" or you`re better off without it. Use reddit.com, there`s loads of Tor threads, a start.

    Here is what Tor Net says about the Netflow issue.
    The Weekly Tor News and the Mozilla Blog Page about Polaris Privacy Initiative.

    Good Topic, much appreciated! :wink:
     
Loading...
Similar Threads - Users Anonymised Analysing Forum Date
Great News for AMD & UAD Users! Computer Hardware Mar 15, 2024
Spire users: I need somebody (a Cyberpunk) Help! how to make "that" sound Feb 23, 2024
Whitelisting own music for Twitch users Internet for Musician Feb 6, 2024
Your recommended set up for Mac m1 Sonoma users which require SIP temporarily off? Mac / Hackintosh Jan 23, 2024
Any mp3tag users here who can help? Lounge Jan 18, 2024
Loading...