Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Communications Encryption Privacy

81% of Tor Users Can Be De-anonymized By Analysing Router Information 136

An anonymous reader writes A former researcher at Columbia University's Network Security Lab has conducted research since 2008 indicating that traffic flow software included in network routers, notably Cisco's 'Netflow' package, can be exploited to deanonymize 81.4% of Tor clients. Professor Sambuddho Chakravarty, currently researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology, uses a technique which injects a repeating traffic pattern into the TCP connection associated with an exit node, and then compares subsequent aberrations in network timing with the traffic flow records generated by Netflow (or equivalent packages from other router manufacturers) to individuate the 'victim' client. In laboratory conditions the success rate of this traffic analysis attack is 100%, with network noise and variations reducing efficiency to 81% in a live Tor environment. Chakravarty says: 'it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods [] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection.'
This discussion has been archived. No new comments can be posted.

81% of Tor Users Can Be De-anonymized By Analysing Router Information

Comments Filter:
  • by gcnaddict ( 841664 ) on Friday November 14, 2014 @01:54PM (#48387405)
    is to maximize bandwidth utilization with junk traffic between all connected nodes, substituting junk data for legitimate data as needed.
    • by Qzukk ( 229616 )

      There's just one problem:responses. If I send data to B and B never sends data back, then that's clearly junk data. If I send data to B and B immediately sends data back then that's clearly junk data unless B is a hidden service. Apply this to every node B talks to (and the nodes they talk to) and it's readily apparent which ones are actually having a conversation.

      • Re: (Score:1, Troll)

        Yep, you can't beat simple traffic analysis. How come we aren't don't doing more of that on government/corporate communications? I mean, turnabout is fair play, no? We might not know the content of the secret deals they make with the terrorists behind our backs, but we will know when they are talking to each other. Take away their privacy and maybe they'll respect ours.

        • by Lunix Nutcase ( 1092239 ) on Friday November 14, 2014 @02:17PM (#48387559)

          How come we aren't don't doing more of that on government/corporate communications? I mean, turnabout is fair play, no?

          I don't know. Why are you not doing more of that? Most people are not doing it because they don't want to be sent to prison.

      • by gcnaddict ( 841664 ) on Friday November 14, 2014 @02:56PM (#48387871)
        How would you know if B never sends data back? B is sending junk data just as you are. To an outside observer, the amount of throughput by B would never change even if B sends an actual response.
    • by Prune ( 557140 )
      Wouldn't adding random timing jitter to the packets deal with the problem without using up more network resources with junk data? As long as the timing noise distribution between routers is not grossly dissimilar, that should work.
      • by Carnildo ( 712617 ) on Friday November 14, 2014 @07:35PM (#48389391) Homepage Journal

        Not really. Random jitter can be dealt with statistically: collect more data, compute the mean, and use the mean where you would have used the exact timing.

        In order to defeat timing analysis through noise injection, you need to introduce a large amount of variation compared to the number of packets being sent; for any realistically-sized data transfer, this requires jitter on the order of minutes to hours.

  • Dear Tor users: (Score:5, Insightful)

    by NoNonAlphaCharsHere ( 2201864 ) on Friday November 14, 2014 @01:57PM (#48387429)
    By "can be" De-anonymized, we mean "have been".

    Sincerely,
    The NSA
    • A long time ago. Tor does not blend!

    • We do that for years with just a requirement for all ISPs to keep netflow data for 3 years.

      Best regards,
      The FSB.
    • Re: (Score:3, Insightful)

      by Anonymous Coward

      This is *years* old news, with many papers on the subject. Anyone who thought TOR was secure was wildly misinformed by the media, including slashdot.

  • Can't be true (Score:3, Insightful)

    by HornWumpus ( 783565 ) on Friday November 14, 2014 @01:59PM (#48387443)

    I've been repeatedly told I was paranoid regarding TOR traffic analysis by the the /. hive mind. So this can't be true.

    • by Anonymous Coward

      I've been posting it ever since the tormail take down and I posted it since the silk road takedown, and so on. PRISM's metadata collection is precisely what this article is talking about: timestamped lists of what computer talked to what computer for how long with how much data.

    • by brunes69 ( 86786 )

      You are still being paranoid.

      Just because something is theoretically possible in lab conditions does not mean that anyone in the real world is actually doing it. The FBI doesn't even have the resources to do something trivial brute force an iPhone 4 digit pass-code, you think they or the NSA have the resources to do this on any kind of real scale?

      Despite what urban myths are out there, the NSA uses relatively simple means to do 99% of their spying and traffic interception.

      • Despite what urban myths are out there, the NSA uses relatively simple means to do 99% of their spying and traffic interception.

        Which doesn't mean they don't also have massively expensive and complicated means to do the rest.

        That last 1% is likely pretty high value.

        Really, at this point, I don't think paranoid fears about what the spy agencies are doing comes even close to reality.

        Things which we all "knew" 5-10 years ago to be completely impossible are being revealed as already happening.

        They're not superh

        • by brunes69 ( 86786 )

          No one with a clue in their head thought this stuff was impossible 5-10 years ago. Everyone who had the slightest background knowledge in how things operate already knew and assumed it was happening. The movie Enemy of the State came out in 1998 for god's sake, and people still did not wake up as to what was possible. This stuff wasn't fiction then, and it isn't fiction now.

          That doesn't change the fact that 99% of the interception the NSA does is trivial. Using Tor is still a very good idea and can save yo

  • by Anonymous Coward

    While I haven't read the paper, the article seems to have a reasonably big "correlation for non-victim" bar. If this means false positives, it makes this technique at least a lot less useful than the "81%" deanonymization rate that they claim. It might make it useless for anything really.

    Honestly, this all seems like more headline and less news. But I do still have to read the paper.

    • by f3rret ( 1776822 )

      While I haven't read the paper, the article seems to have a reasonably big "correlation for non-victim" bar. If this means false positives, it makes this technique at least a lot less useful than the "81%" deanonymization rate that they claim. It might make it useless for anything really.

      Honestly, this all seems like more headline and less news. But I do still have to read the paper.

      I read it as meaning "This type of attack can deanonymize a single TOR user 81% of the time" and not "This type of attack can deanonymize 81% of ALL TOR users at the same time"

  • It doesn't matter! (Score:5, Interesting)

    by Anonymous Coward on Friday November 14, 2014 @02:17PM (#48387567)

    The whole point of tor for those who are morally and ethically sane, is that it makes monitoring the populus orders of magnitude more expensive!

    Forcing NSA and their ilk to actually target people individually, instead of just passivly collecting plain text data on everyone is exactly what needs to happen!

    Use Tor as much as possible, it is the only thing stopping complete internet surveillance.

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      This is what I tell people about using tor. It's not iron clad but it adds a lot of difficulty for people who want to collect everyones data. And even if the nsa can break it, the coffee shop can't, your isp can't, and the websites that track your every move across the web can't, at least not all of the time. And currently tor is the best way for people to voice their discontent with the surveillance state that's been forced on us in recent years. So that's better than doing nothing at all.

    • The whole point of tor for those who are morally and ethically sane, is that it makes monitoring the populus orders of magnitude more expensive!

      Forcing NSA and their ilk to actually target people individually, instead of just passivly collecting plain text data on everyone is exactly what needs to happen!

      Use Tor as much as possible, it is the only thing stopping complete internet surveillance.

      What can make things even more expensive is using strong end-to-end encryption for all network connections and strong encryption for everything stored on someone else's servers. This is *mostly* feasible if you have some technical knowledge, much less so for those that don't.

      Things that can aren't really there but could really help the non-technical are:
      1. Easy to use, verifiable but decentralized email encryption/non-repudiation
      2. Ubiquitous network connection encryption with decentralized/anonymized

  • by rvw ( 755107 ) on Friday November 14, 2014 @02:25PM (#48387611)

    Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing. Make normal and Tor browsing mutually network exlusive!

    • Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing. Make normal and Tor browsing mutually network exlusive!

      If browsing from coffee shops is necessary and sufficient to provide anonymity, why use Tor?

    • by Bob9113 ( 14996 ) on Friday November 14, 2014 @05:14PM (#48388753) Homepage

      Basically what they are saying is that you should not use Tor at home or at work, but in other places, where you don't do your normal browsing.

      Close, but not quite ideal. You should use TOR at home to do strictly legitimate things, to create the haystack in which the needles can be hidden. Then, when you want to do something without being watched, you use TOR with clean hardware and connectivity. Also, when travelling to your clean connectivity, leave your cell phone and other tracking devices at home, and do it somewhere with lots of other people.

      • by rvw ( 755107 )

        Then, when you want to do something without being watched, you use TOR with clean hardware and connectivity.

        So what is clean? I can only think of an Ubuntu VM, default install with maybe one or two addons in Firefox to delete cookies. Nothing that changes or adds fonts. Make snapshots and always revert to that. Create new snapshots after updates. Don't update when using public wifi, but update at home while not doing anything else - no browsing!

        • by Bob9113 ( 14996 )

          >> when you want to do something without being watched, you use TOR with clean hardware and connectivity.

          > So what is clean? I can only think of an Ubuntu VM, default install with maybe one or two addons in Firefox to delete cookies. Nothing that changes or adds fonts...

          That's a fairly good version. I think it's about how extreme you want to go and how secure you feel you need to be. You could grab a fresh laptop off Craig's List and only use it for a few days. You could get a Raspberry Pi with no

  • by NotSanguine ( 1917456 ) on Friday November 14, 2014 @02:29PM (#48387645) Journal

    It's clear that there are significant limitations to the tested identification methods. Firstly, it requires that the server endpoint be under the control of the entity attempting identification. Secondly, the TOR *entry* node being used must be identified (if you have the resources, I guess you could monitor traffic flows from *all* entry nodes) in order for the Netflow data to be compared between the Server-->Exit Node and the Entry Node-->potential target client. Thirdly, in order to generate enough traffic to have enough collected data for correlation, large (the authors' term, they do not identify the size of the file/data required, only that downloads must last ~seven minutes to collect enough data) amounts of data must be downloaded from the server.

    It's an interesting piece of work, but pulling off an identification like this requires the anonymized client to both connect to a server specifically configured to generate traffic flows that can be identified, and once connected, the client must be induced to download a "large" file/dataset. What is more, those attempting the identification must also be able to gather Netflow records from the interface(s) associated with the specific (and likely unknown) TOR entry node as well, or monitor flows from *all* TOR entry nodes.

    It seems to me, that while the above scenario is certainly feasible, if you can get a potential target to visit a server that's under your control and download a large file, you can probably infect the client with malware from that server, and have said malware phone home without TOR, producing a specific identification without false positives or negatives. Which would be much less resource intensive and more useful, IMHO.

    • But it probably is a problem if your opponent is a state-level actor. For example, China (and the US probably too) probably monitors connections to known tor entry/exit nodes. Given the attack mentioned, someone using tor in china is safe as long as the server being contacted is known to not be acting in concert with the adversary. However, if the server (or its connection to the tor entry/exit nodes) is also under control of the same adversary, then the connection can be de-anonymized. So this is a pro
      • But it probably is a problem if your opponent is a state-level actor. For example, China (and the US probably too) probably monitors connections to known tor entry/exit nodes. Given the attack mentioned, someone using tor in china is safe as long as the server being contacted is known to not be acting in concert with the adversary. However, if the server (or its connection to the tor entry/exit nodes) is also under control of the same adversary, then the connection can be de-anonymized. So this is a problem for chinese bloggers blogging on chinese blogs, but not so much on foreign blogs hosted outside china. Though it appears blog traffic would probably be too small to facilitate a successful attack.

        Absolutely. But the authors of the paper [columbia.edu] assert that:

        As Tor nodes are scattered around the globe, and the nodes of circuits are selected at random, mounting a traffic analysis attack in practice would require a powerful adversary with the ability to monitor traffic at a multitude of autonomous systems (AS). Murdoch and Zielinski, however, showed that monitoring traffic at a few major Internet exchange (IX) points could enable traffic analysis attacks to a significant part of the Tor network [13]. Furthermo

  • In other words (Score:5, Insightful)

    by msobkow ( 48369 ) on Friday November 14, 2014 @03:04PM (#48387941) Homepage Journal

    In other words, you're only "anonymous" if you don't matter.

  • Where do people get the idea that privacy is some sort of inalienable right? I'll agree that it's a civic courtesy, and certainly it's impolite to disregard another person's privacy, but to that end, I see it as more of a social contract than any sort of actual right. I would suggest that any appearance of privacy we might seem to have is actually just an illusion offered by the fact that other people are either making a deliberate choice to be polite in that regard, or else they are simply not interested
    • by Maltheus ( 248271 ) on Friday November 14, 2014 @05:48PM (#48388977)

      Uhh, from the Constitution:

      The right of the people to be secure in their persons, houses, papers, and effects,[a] against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

      • by Anonymous Coward

        See also Griswold v. Connecticut, 381 U.S. 479 (1965).

    • Where do people get the idea that privacy is some sort of inalienable right? I'll agree that it's a civic courtesy, and certainly it's impolite to disregard another person's privacy, but to that end, I see it as more of a social contract than any sort of actual right. I would suggest that any appearance of privacy we might seem to have is actually just an illusion offered by the fact that other people are either making a deliberate choice to be polite in that regard, or else they are simply not interested enough in what we think is private for others to be bothered with it. Either way, it's not something that you can actually control... its largely determined by what other people do or want.

      I don't know. I'm a private person, but not a secretive one. I don't mind sharing personal information with the folks I want to share with. I feel it's incumbent on me to keep things to myself. That may include encryption or access controls or just keeping my mouth shut.

      Yes, there are those out there who want to know all about everyone, for their purposes. That doesn't mean I have to roll over and give it all up to anyone who wants it. If I take steps to protect data, ideas, information or anything el

    • by robogun ( 466062 )

      I agree completely, and further I think the law should require everyone keep their windows and curtains open day and night, and the door to the shitter open. At least until the telescreen is invented.

      • by mark-t ( 151149 )
        Just because I don't think people should really have any expectation of privacy at any time doesn't mean I think people should not have any right to do whatever is in within their own personal power and ability to directly control to preserve whatever privacy they feel they might be able to secure for themselves, to the extent that such efforts do not infringe on anyone else's freedoms or rights.
    • From the Universal Declaration of Human Rights, as adopted by the General Assembly of the United Nations on December 10, 1948. Article 12: Right to Privacy...

      No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

      It's one of our fundamental human rights, right up there with other inconvenient courtesies such as right to life, freedom from slavery, freedom from arbitrary detention, freedom from torture, right to asylum, and freedom of thought and religion. Everyone should know their rights. If you don't know your rights, you won't know what you risk losing.

      Th

  • I'm pretty sure reddit probably through google analytics may have started doing this around eighteen months ago. I tested trolling them with sock puppets and they could identify my house through tor but could not differentiate between individual computers in the house. So pretty much anybody that uses google analytics probably has this capability.
  • I'm not surprised. I wrote a paper back in 2003, Techniques for Cyber Attack Attribution [dtic.mil], that listed a LONG list of ways to do attribution. This sounds a like a variant combining "modify transmitted messages" and "matching streams" via timing (see the paper).

    Real anonymity is HARD. If someone wants to attribute you, it's hard to prevent.

You had mail, but the super-user read it, and deleted it!

Working...