A team of scientists has come up with a new attack method that in the hands of certain adversaries can be used to deanonymize Tor traffic by monitoring the traffic that goes into a Tor relay and the HTTP and DNS traffic that comes out of a Tor exit node.
Called DefecTor, this new attack is an improved version of what security and privacy experts call a “Tor correlation attack.”
Tor correlation attacks have been studied and detailed in the past. In a nutshell, these types of attacks imply that a global adversary in the position to monitor large pieces of Internet traffic can see when a user starts a Tor connection and using various clues tie his inbound connection to an outbound packet stream. The adversary can guess with various degrees of accuracy the website a user is accessing via Tor.
A team of researchers from Swedish and US universities say that initial research into these types of deanonymization attempts using correlation attacks have only focused on the encrypted traffic that goes into the Tor network and the HTTP traffic that goes out of an exit node.
They say that initial research has completely ignored a second set of outgoing traffic, referring to DNS queries. They say that DNS queries can prove very useful in improving the guesswork that comes with Tor correlation attacks.
This attack is possible because the Tor Browser, which allows Tor users to access websites via the Tor network, bundles HTTP and DNS traffic together, encrypts it, passes through the Tor network, and then resolves the DNS query at the exit node level, sending the HTTP traffic to its destination.
“We find that there exist adversaries who can mount DefecTor attacks,” researchers write in their work. “For example, Google’s DNS resolver observes almost 40% of all DNS requests exiting the Tor network.”
While Google has never shown any interest in deanonymizing or sabotaging the Tor network, the research proves that they could, if they wanted to.
The Tor threat model includes global adversaries representing ASs (Autonomous Systems – aka ISPs) that are managed by oppressive regimes. These third-party entities can gain more than enough information on known dissidents and their activities by deploying DefecTor attacks.
“Given this more powerful fingerprinting method, we showed that the threat of DefecTor attacks against the Tor network is clear and present,” researchers say. “Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”
Technical details about the DefecTor attack are available on the research paper’s website. The actual research paper called “The Effect of DNS on Tor’s Anonymity” can be downloaded from here or here, and also contains some recommandations for mitigating DefecTor correlation attacks.