Tor users’ IP addresses can be identified by exploiting routers

Researchers have published their results carried out six years from 2008 to 2014 which was aimed at locating the real IP addresses of users using the Tor browser to anonymize themselves on the world wide web. These researchers achieved a 100% success ratio under controlled lab environments and a 81% success rate in real world scenarios. The process is done using traffic analysis. After the mass seizure of dark web websites by the FBI recently, this news comes as another stunning reminder that nothing on the internet can be anonymous forever.

The Research

Professor Sambuddho Chakravarty, a former researcher at Columbia University’s Network Security Lab and now researching Network Anonymity and Privacy at the Indraprastha Institute of Information Technology in Delhi, has co-published a series of papers over the last six years outlining the attack vector, and claims a 100% ‘decloaking’ success rate under laboratory conditions, and 81.4% in the actual wilds of the Tor network.  They used CISCO routers in their research. And since CISCO defines all major networking standards, it is applicable to every router available.

Chakravarty’s technique [PDF downloadable] involves introducing disturbances in the highly-regulated environs of Onion Router protocols using a modified public Tor server running on Linux – hosted at the time at Columbia University. His work on large-scale traffic analysis attacks in the Tor environment has convinced him that a well-resourced organisation could achieve an extremely high capacity to de-anonymise Tor traffic on an ad hoc basis – but also that one would not necessarily need the resources of a nation state to do so, stating that a single AS (Autonomous System) could monitor more than 39% of randomly-generated Tor circuits.

Chakravarty says: “…it is not even essential to be a global adversary to launch such traffic analysis attacks. A powerful, yet non- global adversary could use traffic analysis methods […] to determine the various relays participating in a Tor circuit and directly monitor the traffic entering the entry node of the victim connection,”

The Analysis

The researchers simply sent HTML files a Tor user would access into the router’s connection.  Since Netflow(traffic analysis software in CISCO routers) was designed to break down and analyze traffic depending on what you use the internet for (say 25 percent email and 50 percent web browsing), they could check who accessed those HTML files and get their IP addresses.

Tor is susceptible to this kind of traffic analysis because it was designed for low-latency. Chakravarty explains: “To achieve acceptable quality of service, [Tor attempts] to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.”

This kind of monitoring, even on a large scale does not require many resources. Which makes it an interesting concept for law enforcement agencies to track down cyber criminals dealing in drugs and other banned materials and hiding behind the Tor network. The forensic interest in quite how international cybercrime initiative ‘Operation Onymous’ defied Tor’s obfuscating protocols to expose hundreds of ‘dark net’ sites, including infamous online drug warehouse Silk Road 2.0, has led many to conclude that the core approach to de-anonymization of Tor clients depends upon becoming a ‘relay of choice’ – and a default resource when Tor-directed DDOS attacks put ‘amateur’ servers out of service.