On 11/15/2014 06:04 AM, Snehan Kekre wrote: > Research undertaken between 2008 and 2014 suggests that more than 81% of Tor > clients can be ‘de-anonymised’ – their originating IP addresses revealed – by > exploiting the ‘Netflow’ > <http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html> > technology > that Cisco has built into its router protocols, and similar traffic analysis > software running by default in the hardware of other manufacturers. > > Professor Sambuddho Chakravarty > <https://sites.google.com/site/sambuddhochakravarty/>, a former researcher at > Columbia University’s Network Security Lab <http://nsl.cs.columbia.edu/> and > now > researching Network Anonymity and Privacy at the Indraprastha Institute of > Information Technology in Delhi, has co-published a series of papers over the > last six years outlining the attack vector, and claims a 100% ‘decloaking’ > success rate under laboratory conditions, and 81.4% in the actual wilds of > the > Tor network. > > Chakravarty’s technique > <https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&;> > [PDF] > involves introducing disturbances in the highly-regulated environs of Onion > Router protocols using a modified public Tor server running on Linux - hosted > at > the time at Columbia University. His work on large-scale traffic analysis > attacks in the Tor environment has convinced him that a well-resourced > organisation could achieve an extremely high capacity to de-anonymise Tor > traffic on an ad hoc basis – but also that one would not necessarily need the > resources of a nation state to do so, stating that a single AS (Autonomous > System) could monitor more than 39% of randomly-generated Tor circuits. > > Chakravarty says: /“…it is not even essential to be a global adversary to > launch > such traffic analysis attacks. A powerful, yet non- global adversary could > use > traffic analysis methods […] to determine the various relays participating in > a > Tor circuit and directly monitor the traffic entering the entry node of the > victim connection,”/ > > The technique depends on injecting a repeating traffic pattern – such as HTML > files, the same kind of traffic of which most Tor browsing consists – into > the > TCP connection that it sees originating in the target exit node, and then > comparing the server’s exit traffic for the Tor clients, as derived from the > router’s flow records, to facilitate client identification. > > Tor is susceptible to this kind of traffic analysis because it was designed > for > low-latency. Chakravarty explains: /“//To achieve acceptable quality of > service, > [Tor attempts] to preserve packet interarrival characteristics, such as > inter-packet delay. Consequently, a powerful adversary can mount traffic > analysis attacks by observing similar traffic patterns at various points of > the > network, linking together otherwise unrelated network connections.”/ > > The online section of the research involved identifying ‘victim’ clients in > Planetlab <https://www.planet-lab.org/> locations in Texas, Belgium and > Greece, > and exercised a variety of techniques and configurations, some involving > control > of entry and exit nodes, and others which achieved considerable success by > only > controlling one end or the other. > > Traffic analysis of this kind does not involve the enormous expense and > infrastructural effort that the NSA put into their FoxAcid Tor redirects > <http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity>, > > but it benefits from running one or more high-bandwidth, high-performance, > high-uptime Tor relays. > > The forensic interest > <https://www.cryptocoinsnews.com/how-fbi-illegally-hacked-silk-road-servers-find-alleged-pirate-ross-ulbricht/> > in > quite how international cybercrime initiative ‘Operation Onymous’ defied > Tor’s > obfuscating protocols to expose > <http://thestack.com/operation-onymous-seize-hundreds-underground-drug-weapons-cybermarkets-071114> > hundreds > of ‘dark net’ sites, including infamous online drug warehouse Silk Road 2.0, > has > led many to conclude that the core approach to deanonymisation of Tor clients > depends upon becoming a ‘relay of choice’ – and a default resource when > Tor-directed DDOS attacks put ‘amateur’ servers out of service > <http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/>.
I also recommend his PhD thesis: Sambuddho Chakravarty (2014) Traffic Analysis Attacks and Defenses in Low Latency Anonymous Communication http://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf
