81% of Tor Users Can Be De-anonymized By Analysing Router Information

An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods [] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'

Dear Tor users:

[NoNonAlphaCharsHere]

By "can be" De-anonymized, we mean "have been".

Sincerely,
The NSA

Re:Dear Tor users:

This is *years* old news, with many papers on the subject. Anyone who thought TOR was secure was wildly misinformed by the media, including slashdot.

Re:Can't be true

[HornWumpus]

Can you say 'parallel construction'? I thought you could.

There is a lot of evidence the TOR is simply a honey-pot.

False positives are easily dealt with when a user generates traffic for any sort of period of time.

Re:The only solution I can think of

[Lunix+Nutcase]

How come we aren't don't doing more of that on government/corporate communications? I mean, turnabout is fair play, no?

I don't know. Why are you not doing more of that? Most people are not doing it because they don't want to be sent to prison.

It doesn't matter!

The whole point of tor for those who are morally and ethically sane, is that it makes monitoring the populus orders of magnitude more expensive!

Forcing NSA and their ilk to actually target people individually, instead of just passivly collecting plain text data on everyone is exactly what needs to happen!

Use Tor as much as possible, it is the only thing stopping complete internet surveillance.

Re:It doesn't matter!

This is what I tell people about using tor. It's not iron clad but it adds a lot of difficulty for people who want to collect everyones data. And even if the nsa can break it, the coffee shop can't, your isp can't, and the websites that track your every move across the web can't, at least not all of the time. And currently tor is the best way for people to voice their discontent with the surveillance state that's been forced on us in recent years. So that's better than doing nothing at all.

So don't use Tor at home?

[rvw]

Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing. Make normal and Tor browsing mutually network exlusive!

Re:So don't use Tor at home?

[Bob9113]

Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing.

Close, but not quite ideal. You should use TOR at home to do strictly legitimate things, to create the haystack in which the needles can be hidden. Then, when you want to do something without being watched, you use TOR with clean hardware and connectivity. Also, when travelling to your clean connectivity, leave your cell phone and other tracking devices at home, and do it somewhere with lots of other people.

same data, packet timing differentiated

[raymorris]

You can add a fingerprint without changing the data. One way is by timing. A 10 Mbps cable modem, for example, can send at maybe 50 Mbps for 100 milliseconds, then it stops for a 400ms to average 10 Mbps, the speed you paid for. If I want to mark a traffic flow I'm relaying, I can send the packets out in burts of 120KB, 60KB, 120KB, 60KB. Assuming a sufficiently uncongested network, that pattern will be visible several routers further down the line.

I've relayed precisely the data I was sent, I just modulated the rate at which I sent it.

After Reading The Paper

[NotSanguine]

It's clear that there are significant limitations to the tested identification methods. Firstly, it requires that the server endpoint be under the control of the entity attempting identification. Secondly, the TOR *entry* node being used must be identified (if you have the resources, I guess you could monitor traffic flows from *all* entry nodes) in order for the Netflow data to be compared between the Server-->Exit Node and the Entry Node-->potential target client. Thirdly, in order to generate enough traffic to have enough collected data for correlation, large (the authors' term, they do not identify the size of the file/data required, only that downloads must last ~seven minutes to collect enough data) amounts of data must be downloaded from the server.

It's an interesting piece of work, but pulling off an identification like this requires the anonymized client to both connect to a server specifically configured to generate traffic flows that can be identified, and once connected, the client must be induced to download a "large" file/dataset. What is more, those attempting the identification must also be able to gather Netflow records from the interface(s) associated with the specific (and likely unknown) TOR entry node as well, or monitor flows from *all* TOR entry nodes.

It seems to me, that while the above scenario is certainly feasible, if you can get a potential target to visit a server that's under your control and download a large file, you can probably infect the client with malware from that server, and have said malware phone home without TOR, producing a specific identification without false positives or negatives. Which would be much less resource intensive and more useful, IMHO.

Re:Can't be true

[HornWumpus]

Chesters, Silk Road #1, Silk road #2...More to come.

Re:Can't be true

[gstoddart]

"So, yes, some of us are still being paranoid. But that doesn't mean that we're not right."

Spoken like a true paranoid.

Why, thank you. That's the nicest thing anybody has said to me all week.

Look, if the reality wasn't that the surveillance programs in place are far more invasive, sophisticated, and all encompassing than we've ever thought possible, I would happily be a slightly paranoid guy in the corner tilting at windmills. I'm OK with that. Everybody needs a hobby, and it's fun at parties.

The reality is, stuff which we know to be happening is far more widespread than anybody would have believed. They've demonstrated themselves willing to lie to Congress. They get funding from alternate sources which they don't always tell us about. They don't always care about the niceties of the law.

They've colluded with law enforcement to conceal their ways and means, and come up with ways to charge you and hide how they got there by writing a handbook of perjury and lying.

They can use secret laws to make it illegal to tell anybody the scope of what they're actually doing.

So, the problem becomes ... when a high degree of paranoia has been demonstrated to be not nearly paranoid enough ... being somewhat paranoid becomes pretty much mandatory.

And these guys have made what would have been dismissed as merely paranoid ravings only a few years ago into something which is documented and commonplace.

So, yeah, I sound paranoid. Because the people who make me paranoid have upped their game to the level where it's hard to imagine I'm being paranoid enough.

Re:The only solution I can think of

[gcnaddict]

How would you know if B never sends data back? B is sending junk data just as you are. To an outside observer, the amount of throughput by B would never change even if B sends an actual response.

In other words

[msobkow]

In other words, you're only "anonymous" if you don't matter.

Re:Can't be true

[sl3xd]

Citation, please? Where are you getting the idea that exit nodes have huge bandwidth bills?

For example: run a mac mini colo as an exit node, with unmetered bandwidth. $55/month, with 100 Mb of bandwidth, 24x7.

Or some guy in Korea with 3-5 gigabits of bandwidth at their home for ~$40 USD/month?

Or a university club running an exit point using approved university resources? (I know my alma matter does)

Tor exit nodes are often just people hosting them on their own nickel, often at home. You can throttle the tor server to 56 Kib/s, and leave the rest for your own usage.

Re:Can't be true

[HornWumpus]

Imagine you are a spook who has compromised a 'secure' means of communication.

Can you think of anything better to do with this then shut it down immediately? Should Bletchly park have gotten on the radio and told the Germans 'neener neener, we broke your codes you jerry morons.'?

Re:Where does the right to privacy come from?

[Maltheus]

Uhh, from the Constitution:

The right of the people to be secure in their persons, houses, papers, and effects,[a] against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

Re:The only solution I can think of

[Carnildo]

Not really. Random jitter can be dealt with statistically: collect more data, compute the mean, and use the mean where you would have used the exact timing.

In order to defeat timing analysis through noise injection, you need to introduce a large amount of variation compared to the number of packets being sent; for any realistically-sized data transfer, this requires jitter on the order of minutes to hours.