DefecTor – Deanonymizing Tor users with the analysis of DNS traffic from Tor exit relays

[steven36]

Researchers devised two correlation attacks, dubbed DefecTor, to deanonymize Tor users using also data from observation of DNS traffic from Tor exit relays.

 

 

Law enforcement and intelligence agencies dedicate an important commitment in the fight of illegal activities in the Dark Web where threat actors operate in a condition of pseudo-anonymity.

 

A group of security researchers at the Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attack technique to deanonymize Tor users.

 

“While the use of Tor constitutes a significant privacy gain over off-the-shelf web browsers, it is no panacea, and the Tor Project is upfront about its limitations. These limitations are not news to the research

community. It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries. We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network.” says Phillip Winter, a researcher at Princeton University that was involved in the research.

 

The techniques were dubbed DefecTor by the researchers, they leverage on the observation of the DNS traffic from Tor exit relays, for this reason, the methods could integrate existing attack strategies.

“We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. ” reads the analysis published by the researchers. “

 

“Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”

 

The test results obtained with the DefecTor technique are excellent anyway we have to consider that such attacks request a significant effort, typically spent by persistent attackers like government bodies.

The simulations of the attacks conducted by the researchers allowed them to identify the vast majority of the visitors to unpopular visited sites.

 

The experts highlighted that Google operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network, a privileged point of observation for attackers.

 

Google is also able to monitor some network traffic that is entering the Tor network, the experts reported as an example the traffic via Google Fiber or via guard relays that are occasionally running in Google’s cloud.

 

“there are entities on the Internet such as ISPs, autonomous systems, or Internet exchange points that can monitor some DNS traffic but not web traffic coming out of the Tor networkand potentially use the DNS traffic to deanonymize Tor users.” says Winter. “Past traffic correlation studies have focused on linking the TCP stream entering the Tor network to the one(s) exiting the network. We show that an adversary can also link the associated DNS traffic, which can be exposed to many more autonomous systems than the TCP stream.”

 

The researchers also developed a tool, dubbed “DNS Delegation Path Traceroute” (dptr), that could be used to determine the DNS delegation path for a fully qualified domain name. The tool runs UDP traceroutes to all DNS servers on the path that are then compared to a TCP traceroute to the web server behind the same fully qualified domain name.

 

On the other side, experts from the Tor Project are already working on a series of significant improvements to the popular anonymizing network.

 

In March the Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.

 

While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity in how exit relays resolve DNS domains.

 

The experts invite the security community to review their paper, for further information visit the DefecTor project page.

 

Source:

http://securityaffairs.co/wordpress/51848/deep-web/defector-tor-deanonymizing.html

 

[vissha]

If It Wanted, Google Could Deanonymize a Large Number of Tor Connections

 

 

Researchers present new DefecTor deanonymization attack

 

Quote

A team of scientists has come up with a new attack method that in the hands of certain adversaries can be used to deanonymize Tor traffic by monitoring the traffic that goes into a Tor relay and the HTTP and DNS traffic that comes out of a Tor exit node.

 

Called DefecTor, this new attack is an improved version of what security and privacy experts call a "Tor correlation attack."

 

Tor correlation attacks have been studied and detailed in the past. In a nutshell, these types of attacks imply that a global adversary in the position to monitor large pieces of Internet traffic can see when a user starts a Tor connection and using various clues tie his inbound connection to an outbound packet stream. The adversary can guess with various degrees of accuracy the website a user is accessing via Tor.

 

Outbound Tor DNS traffic can improve correlation attack accuracy

 

A team of researchers from Swedish and US universities say that initial research into these types of deanonymization attempts using correlation attacks have only focused on the encrypted traffic that goes into the Tor network and the HTTP traffic that goes out of an exit node.

 

They say that initial research has completely ignored a second set of outgoing traffic, referring to DNS queries. They say that DNS queries can prove very useful in improving the guesswork that comes with Tor correlation attacks.

 

This attack is possible because the Tor Browser, which allows Tor users to access websites via the Tor network, bundles HTTP and DNS traffic together, encrypts it, passes through the Tor network, and then resolves the DNS query at the exit node level, sending the HTTP traffic to its destination.

 

"We find that there exist adversaries who can mount DefecTor attacks," researchers write in their work. "For example, Google’s DNS resolver observes almost 40% of all DNS requests exiting  the  Tor  network."

 

While Google has never shown any interest in deanonymizing or sabotaging the Tor network, the research proves that they could, if they wanted to.

 

There are global adversaries interested in this attack

 

The Tor threat model includes global adversaries representing ASs (Autonomous Systems - aka ISPs) that are managed by oppressive regimes. These third-party entities can gain more than enough information on known dissidents and their activities by deploying DefecTor attacks.

 

"Given this more powerful fingerprinting method, we showed that the  threat of DefecTor attacks against the Tor network is clear and present," researchers say. "Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains."

 

Technical details about the DefecTor attack are available on the research paper's website. The actual research paper called "The Effect of DNS on Tor’s Anonymity" can be downloaded from here or here, and also contains some recommandations for mitigating DefecTor correlation attacks.

 

 

Source

[Batu69]

Topic merged.