Tor is regularly recommended as a vital privacy protection technology, and just as regularly, researchers discover ways to de-anonymise users, and the latest of these has just hit Arxiv.
The research, led by boffins from Princeton, demonstrates ways to de-anonymise Tor users with access to just one end of a communication path, at the Autonomous System (AS) level.
The attack suite, which the researchers call Raptor, differs from previous attacks against anonymity, most of which need to observe traffic flows at different points of the Tor network, and need to capture symmetric flows.
Instead, the Princeton crew proposes an asymmetric model which they call a “form of end-to-end timing analysis that allows AS-level adversaries to compromise the anonymity of Tor users … as long as the adversary is able to observe any direction of the traffic at both ends of the communication”.
This, they write, create four scenarios where an attacker might be able to collect enough information to de-anonymise a user:
- Observing data traffic from the client to the entry relay, and from the exit relay to the server;
- Observing traffic from the client to the entry relay, and catching TCP ACKs from the server to the exit relay;
- Catching TCP ACKs from a guard relay to a client, as well as data traffic from the exit relay to the server; or
- Relying just on two sets of TCP ACKs: from the guard relay to the client, and from the server to the exit relay.
In their experimental results, the researchers reckon they achieved “detection accuracy of 95 per cent”, with other techniques available to increase this further.
The researchers' experiments used PlanetLab nodes to act as the clients and the servers, with 50 running as Tor clients and 50 running as Web servers hosting a 100 MB image file. 300 seconds' worth of packet traces for each end were analysed to get TCP sequence number and ACK number fields.
Their ability to correlate the two ends of the communication using only sequence number and ACK number ran between 94 and 96 per cent, the researchers claim.
The paper points out that a state-level attacker – that is, an NSA demanding traffic analysis from a provider – would only need traffic capture from a relatively small number of providers. “Large networks such as NTT or Level3 are able to see Tor traffic for up to 90 per cent of Tor circuits”, the paper states.
The researchers say attacks can be mitigated in two ways: the Tor network needs to monitor the routing control plane and data plane to try to detect attacks; and with a variety of preventative measures.
Preventative measures include writing Tor clients to favour guard relays that have the shortest AS path to the client; the implementation of secure inter-domain routing (which unfortunately requires a bunch of providers to agree to deploy it); and to get Tor relays advertising /24 prefixes. ®