Discovered attacks to compromise TOR Network and De-Anonymize users

Pierluigi Paganini July 31, 2014

On July 4 2014 Tor Team discovered a group of malicious relays that they assume were trying to deanonymize Tor Network users with confirmation attack technique.

Tor network is an excellent technology to ensure users’ online anonymity, thanks to the Tor network users can hide online activities, staying far from the prying eyes of governments and law enforcement. Recently, members of the Tor project warned their users about the presence of a critical vulnerability that was probably being used to de-anonymize the identity of users within Tor network. A few weeks ago, researchers  from Carnegie Mellon University’s computer emergency response team (Cert), Alexander Volynkin and Michael McCord, revealed that they are able to de-anonymize Tor users using a cheap equipment. Initially they planned to reveal their discovery during the next Black Hat Conference in August, but later they have announced that they will not participate in the conference. On July 30th, the website of the Tor project published a security advisory to reveal that early this month, on July 4th 2014, a group of relays suffered a cyber attack that was conducted probably to deanonymize users. The experts at Tor project noticed that bad actors were targeting relays to track users accessing Tor networks or access Tor hidden services.

“They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.”

The security advisory explains that bad actors were leveraging a critical flaw in Tor to modify protocol headers in order to perform a traffic confirmation attack and inject a special code into the protocol header used by attackers to compare certain metrics from relays to de-anonymize users. The advisory reports that 115 malicious fast non-exit relays (6.4% of whole Tor network) were involved in the attack, the servers were actively monitoring the relays on both ends of a Tor circuit in an effort to de-anonymize users. The malicious relays were running Tor version or and bad actors were using them trying to de-anonymize Tor users who visit and run so-called hidden services. The malicious relays joined the Tor network on January 30th 2014 and experts at Tor Project removed them from the network on July 4th 2014.

The members of Tor project team also advised hidden service operators to change the location of their hidden service.

While we don’t know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected,” Tor said.

When users access the Tor network with Tor software, their IP address is not visible and it appears to the Internet as the IP address of a Tor exit relay, which can be anywhere.    Tor network exit relay

The members of the Tor project, explained that bad actors who conducted the confirmation attack were looking for users who fetched hidden service descriptors, this means that attackers were not able to see pages loaded by users neither whether users visited the hidden service they looked up.

“The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.” states the security advisory.

In order to close the critical flaw Tor Project team is suggesting Tor Relay Operators to upgrade Tor software to a recent release, either or  Tor project released a software update to prevent such attacks. It seems to be a bad period for Tor network, and more in general for anonymizing network, recently a serious flaw was discovered in Tails distribution, allowing attacker to reveal the users’ identity, while the Russian Government has recently announced a competition offering $111,000 to break Tor encryption.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs –  (Tor networks, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment