81% of Tor Users Can Be De-anonymized By Analysing Router Information

An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods [] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'

Re:Can't be true

[HornWumpus]

Can you say 'parallel construction'? I thought you could.

There is a lot of evidence the TOR is simply a honey-pot.

False positives are easily dealt with when a user generates traffic for any sort of period of time.

It doesn't matter!

The whole point of tor for those who are morally and ethically sane, is that it makes monitoring the populus orders of magnitude more expensive!

Forcing NSA and their ilk to actually target people individually, instead of just passivly collecting plain text data on everyone is exactly what needs to happen!

Use Tor as much as possible, it is the only thing stopping complete internet surveillance.

Re:It doesn't matter!

This is what I tell people about using tor. It's not iron clad but it adds a lot of difficulty for people who want to collect everyones data. And even if the nsa can break it, the coffee shop can't, your isp can't, and the websites that track your every move across the web can't, at least not all of the time. And currently tor is the best way for people to voice their discontent with the surveillance state that's been forced on us in recent years. So that's better than doing nothing at all.

So don't use Tor at home?

[rvw]

Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing. Make normal and Tor browsing mutually network exlusive!

Re:So don't use Tor at home?

[Bob9113]

Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing.

Close, but not quite ideal. You should use TOR at home to do strictly legitimate things, to create the haystack in which the needles can be hidden. Then, when you want to do something without being watched, you use TOR with clean hardware and connectivity. Also, when travelling to your clean connectivity, leave your cell phone and other tracking devices at home, and do it somewhere with lots of other people.

same data, packet timing differentiated

[raymorris]

You can add a fingerprint without changing the data. One way is by timing. A 10 Mbps cable modem, for example, can send at maybe 50 Mbps for 100 milliseconds, then it stops for a 400ms to average 10 Mbps, the speed you paid for. If I want to mark a traffic flow I'm relaying, I can send the packets out in burts of 120KB, 60KB, 120KB, 60KB. Assuming a sufficiently uncongested network, that pattern will be visible several routers further down the line.

I've relayed precisely the data I was sent, I just modulated the rate at which I sent it.