DefecTor: unmasking Tor users using the analysis of DNS traffic

This technique should improve the efficacy of existing correlation attacks with the monitoring of DNS traffic from Tor exit relays.


Researchers at the KTH Royal Institute of Technology in Stockholm and Princeton University in the USA have unveiled a new attack technique to deanonymise Tor users.

defector-attack-method

The attack, named “DefecTor” by the researchers’ in their paper “The Effect of DNS on Tor’s Anonymity”, uses the DNS lookups that accompany the online activity in order to perform a correlation attack, one of Tor’s most known weakness

Previous attacks that link the sender and receiver of traffic in the Tor network (“correlation attacks”) have generally relied on analyzing traffic from TCP connections. 
The TCP connections of a typical client application, however, are often accompanied by DNS requests and responses. This additional traffic presents more opportunities for correlation attacks. 
This paper quantifies how DNS traffic can make Tor users more vulnerable to correlation attacks. We investigate how incorporating DNS traffic can make existing correlation attacks more powerful and how DNS lookups can leak information to third parties about anonymous communication. 
We develop a method to identify the DNS resolvers of Tor exit relays; develop a new set of correlation attacks (DefecTor attacks) that incorporate DNS traffic to improve precision; analyze the Internet-scale effects of these new attacks on Tor users; and develop improved methods to evaluate correlation attacks.

The researchers developed a tool, dubbed “DNS Delegation Path Traceroute”, useful to determine the DNS delegation path for a fully qualified domain name. 
The tool performs UDP traceroutes to all DNS servers on the path, and after compares it with the TCP traceroute to the web server behind the same fully qualified domain name.

ddptr runs UDP traceroutes to all DNS servers that are in the DNS delegation path for a fully qualified domain name (FQDN), and TCP traceroutes to port 80 of the same FQDN. Then, the tool maps the IP addresses of all intermediate hops to autonomous system numbers and determines the set intersections.


What is a correlation attack?

A group of researchers from Georgetown University and the US Naval Research Laboratory, in 2013 has published a study that sustains that it is possible to identify Tor users: the group of experts presented their POC on anonymity on Tor network and capability to track Tor users during the Conference on Computer and Communications Security in Berlin.

The researchers, led by Aaron Johnson published the paper titled Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries that explain how a persistent adversary, observing how a user enters and leaves the Tor network, could revealing the user’s identity.

Onion routing is vulnerable to an adversary who can monitor a user’s traffic as it enters and leaves the anonymity network; correlating that traffic using traffic analysis links the observed sender and receiver of the communication. Øverlier and Syverson first demonstrated the practicality of the attack in the context of discovering Tor Hidden Servers. 
Later work by Murdoch and Danezis show that traffic correlation attacks can be done quite efficiently against Tor. 
Given the potential severity of traffic correlation attacks, this paper explores in depth users’ vulnerability to such attacks in the live Tor network.

To quantify the anonymity offered by Tor, we examine path compromise rates and how quickly extended use of the anonymity network results in compromised paths.

The researchers developed also a tool named “TorPS simulator”, for the analysis of traffic correlation in the live TOR network.
It simulates path selection in Tor demonstrating that under specific conditions it is possible to identify a Tor user with a 95 percent certainty.


DefecTor is a real menace for all Tor users?

I don’t think so: if your adversaries aren’t already in a position to conduct correlation attacks this probably won’t help them much.

Researchers from the Tor Project are already working on a series of significant improvements to the popular anonymizing network, like implementing techniques to make website fingerprinting attacks harder to execute.

The authors of the paper suggest that the Tor project should fix asap a bug that causes Tor to cache DNS entries for 60 seconds regardless of the DNS entry’s TTL and, in the long term, they’re calling for Tor to implement DNS lookups over TLS, which would encrypt traffic between exit nodes and DNS resolvers.


Resources

– The paper “The Effect of DNS on Tor’s Anonymity”

https://nymity.ch/tor-dns/tor-dns.pdf

– The paper “Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries”

http://www.ohmygodel.com/publications/usersrouted-ccs13.pdf

– The tool “DNS Delegation Path Traceroute

https://github.com/NullHypothesis/ddptr

– The tool “TORPS Simulator”

https://github.com/NullHypothesis/ddptr

Comments