DefecTor – Deanonymizing Tor users with the analysis of DNS traffic from Tor exit relays

Researchers devised two correlation attacks, dubbed DefecTor, to deanonymize Tor users using also data from observation of DNS traffic from Tor exit relays.

Law enforcement and intelligence agencies dedicate an important commitment in the fight of illegal activities in the Dark Web where threat actors operate in a condition of pseudo-anonymity.

A group of security researchers at the Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attack technique to deanonymize Tor users.

“While the use of Tor constitutes a significant privacy gain over off-the-shelf web browsers, it is no panacea, and the Tor Project is upfront about its limitations. These limitations are not news to the research community. It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries. We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network.” says Phillip Winter, a researcher at Princeton University that was involved in the research.

The techniques were dubbed DefecTor by the researchers, they leverage on the observation of the DNS traffic from Tor exit relays, for this reason, the methods could integrate existing attack strategies.

“We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. ” reads the analysis published by the researchers. “

“Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”

The test results obtained with the DefecTor technique are excellent anyway we have to consider that such attacks request a significant effort, typically spent by persistent attackers like government bodies.

The simulations of the attacks conducted by the researchers allowed them to identify the vast majority of the visitors to unpopular visited sites.

The experts highlighted that Google operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network, a privileged point of observation for attackers.

Google is also able to monitor some network traffic that is entering the Tor network, the experts reported as an example the traffic via Google Fiber or via guard relays that are occasionally running in Google’s cloud.

“Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains.

The experts also remark that DNS requests could be used to obtain other precious information about the traffic of Tor users, they traverse autonomous systems and Internet exchanges.

“there are entities on the Internet such as ISPs, autonomous systems, or Internet exchange points that can monitor some DNS traffic but not web traffic coming out of the Tor networkand potentially use the DNS traffic to deanonymize Tor users.” says Winter. “Past traffic correlation studies have focused on linking the TCP stream entering the Tor network to the one(s) exiting the network. We show that an adversary can also link the associated DNS traffic, which can be exposed to many more autonomous systems than the TCP stream.”

The researchers also developed a tool, dubbed “DNS Delegation Path Traceroute” (dptr), that could be used to determine the DNS delegation path for a fully qualified domain name. The tool runs UDP traceroutes to all DNS servers on the path that are then compared to a TCP traceroute to the web server behind the same fully qualified domain name.

On the other side, experts from the Tor Project are already working on a series of significant improvements to the popular anonymizing network.

In March the Tor Project revealed how the organization has conducted a three-year long work to improve its ability to detect fraudulent software.

While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity in how exit relays resolve DNS domains.

The experts invite the security community to review their paper, for further information visit the DefecTor project page.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DefecTor , Tor Project)