Deep Web

DefecTor – Deanonymizing Tor users with the analysis of DNS traffic from Tor exit relays

Researchers devised two correlation attacks, dubbed DefecTor, to deanonymize Tor users using also data from observation of DNS traffic from Tor exit relays.

Law enforcement and intelligence agencies dedicate an important commitment in the fight of illegal activities in the Dark Web where threat actors operate in a condition of pseudo-anonymity.

A group of security researchers at the Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attack technique to deanonymize Tor users.

While the use of Tor constitutes a significant privacy gain over off-the-shelf web browsers, it is no panacea, and the Tor Project is upfront about its limitations. These limitations are not news to the research community. It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries. We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network.says Phillip Winter, a researcher at Princeton University that was involved in the research.

The techniques were dubbed DefecTor by the researchers, they leverage on the observation of the DNS traffic from Tor exit relays, for this reason, the methods could integrate existing attack strategies.

“We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. ” reads the analysis published by the researchers. “

“Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”

The test results obtained with the DefecTor technique are excellent anyway we have to consider that such attacks request a significant effort, typically spent by persistent attackers like government bodies.

The simulations of the attacks conducted by the researchers allowed them to identify the vast majority of the visitors to unpopular visited sites.

The experts highlighted that Google operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network, a privileged point of observation for attackers.

Google is also able to monitor some network traffic that is entering the Tor network, the experts reported as an example the traffic via Google Fiber or via guard relays that are occasionally running in Google’s cloud.

“Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains.

The experts also remark that DNS requests could be used to obtain other precious information about the traffic of Tor users, they traverse autonomous systems and Internet exchanges.

“there are entities on the Internet such as ISPs, autonomous systems, or Internet exchange points that can monitor some DNS traffic but not web traffic coming out of the Tor networkand potentially use the DNS traffic to deanonymize Tor users.” says Winter. “Past traffic correlation studies have focused on linking the TCP stream entering the Tor network to the one(s) exiting the network. We show that an adversary can also link the associated DNS traffic, which can be exposed to many more autonomous systems than the TCP stream.”

The researchers also developed a tool, dubbed “DNS Delegation Path Traceroute” (dptr), that could be used to determine the DNS delegation path for a fully qualified domain name. The tool runs UDP traceroutes to all DNS servers on the path that are then compared to a TCP traceroute to the web server behind the same fully qualified domain name.

On the other side, experts from the Tor Project are already working on a series of significant improvements to the popular anonymizing network.

In March the Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.

While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity in how exit relays resolve DNS domains.

The experts invite the security community to review their paper, for further information visit the DefecTor project page.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DefecTor , Tor Project) 

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

6 mins ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

7 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

18 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

22 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.