According to new report researchers found a way by which we can get real identity of Tor user by exploiting the traffic analysis software Netflow that Cisco has built in its router protocols.
The research was conducted by Professor Sambuddho Chakravary,formal researcher at Columbia University's Network Security Lab and currently he is researching about Network Anonymity and Privacy at Indraprastha Institute of Information Technology,Delhi.
Chakravarty used a technique,in order to determine the tor relays which involved a modified public Tor server running on Linux, accessed by the victim client, and modified Tor node that can form one-hop circuits with arbitrary legitimate nodes.
"The server modulates the data being sent back to the client, while the corrupt Tor node is used to measure delay between itself and Tor nodes," researchers wrote in PDF. "The correlation between the perturbations in the traffic exchanged with a Tor node, and the server stream helped identify the relays involved in a particular circuit."According to the research, to carry out large-scale traffic analysis attacks in the Tor environment one would not necessarily need the resources of a nation state, even a single AS may observe a large fraction of entry and exit node traffic, as stated in the paper – a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits.
It is not even essential to be a global adversary to launch such traffic analysis attacks," Chakravarty wrote. "A powerful, yet non- global adversary could use traffic analysis methods […] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection."The technique depends on injecting a repeating traffic pattern into the TCP connection that it observes as originating from the target exit node, and then correlating the server’s exit traffic for the Tor clients, as derived from the router’s flow records, to identify Tor client.
Tor is vulnerable to this kind of traffic analysis because it is designed as low-latency anonymous communication networks.
"To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections," Chakravarty explains.This research does not need large scale resources.But this is good for law enforcement to stop illegal activities hiding behind the Tor network.
However,one of the Tor Project member 'Arma' said they are already aware of this network analysis attack.
"It's great to see more research on traffic correlation attacks, especially on attacks that don't need to see the whole flow on each side. But it's also important to realise that traffic correlation attacks are not a new area."said Arma on a blog post.
"The discussion of false positives is key to this new paper too: Sambuddho's paper mentions a false positive rate of 6%. That sounds like it means if you see a traffic flow at one side of the Tor network, and you have a set of 100000 flows on the other side and you're trying to find the match, then 6000 of those flows will look like a match. It's easy to see how at scale, this "base rate fallacy" problem could make the attack effectively useless."said Arma.
Post a Comment