Attack reveals 81 percent of Tor users but admins call for calm

Cisco Netflow a handy tool for cheapskate attackers


The Tor project has urged calm after new research found 81 percent of users could be identified using Cisco's NetFlow tool.

A research effort led by professor Sambuddah Chakravarty from the Indraprastha Institute of Information Technology in Delhi found that well-resourced attackers such as a nation-state could effectively reveal Tor users' identity with a false-positive rate of six percent, while an autonomous system could reveal about 39 percent of users.

Chakravarty's research, run on a high performance research server within the University, worked in part due to the low-latency design of Tor.

"To achieve acceptable quality of service, [Tor] systems attempt to preserve packet interarrival characteristics, such as inter-packet delay," Chakravarty wrote in the paper On the Effectiveness of Traffic Analysis Against Anonymity Networks using Flow Records.

"Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.

"Although the capacity of current networks makes packet-level monitoring at such a scale quite challenging, adversaries could potentially use less accurate but readily available traffic monitoring functionality, such as Cisco's NetFlow, to mount large-scale traffic analysis attacks."

The active traffic analysis method was based on creating and monitoring 'deliberate perturbances' on server side user traffic and observing output on the client side through statistical correlation.

A team of five tested the technique with a public Tor relay serving hundreds of users.

"Our method revealed the actual sources of anonymous traffic with 100 percent accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4 percent for the real-world experiments, with an average false positive rate of 6.4 percent.

Tor Project leader Roger Dingledine described the research, first discussed at the Passive and Active Measurement Conference in March, as valuable but pointed out the traffic correlation attacks were not a new area of research.

"The discussion of false positives is key to this new paper too: Sambuddho's paper mentions a false positive rate of six percent ... It's easy to see how at scale, this 'base rate fallacy' problem could make the attack effectively useless," Dingledine said in a post.

"I should also emphasize that whether this attack can be performed at all has to do with how much of the internet the adversary is able to measure or control.

Dingledine added "... it's great to see more research on traffic confirmation attacks, but traffic confirmation attacks are not a new area so don't freak out without actually reading the papers, and this particular one, while kind of neat, doesn't supersede all the previous papers."

Chakravarty worked along with Marco V. Barbera; Georgios Portokalidis; Michalis Polychronakis, and Angelos D. Keromy from universities Sapienza and Columbia, and the Stevens Institute of Technology. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say

Biting the hand that feeds IT © 1998–2017