Interesting rebuttal: https://news.ycombinator.com/item?id=8608941
This is an easier version of a traffic analysis attack, an attack that Tor expressly does not attempt to provide a strong defense against. It relies on a malicious server and entry node. The contribution of this paper is that if you have the malicious server and entry node, you can use a less expensive data source (Cisco NetFlow data) rather than raw packets to perform a correlation attack. The correlation they achieve in a private Tor network is impressive; however, if you look at the graphs in the actual paper[0], you can see that the differences in correlations are actually quite small in the wild. The title of this post and article is actually incorrect; the technique demonstrated has an 81.4% accuracy. This means that the base rate fallacy will make it nearly unusable in practice, and more so as the scale of Tor traffic grows. For more on the Base Rate Fallacy, see [1]. So in summary: * This is an incremental improvement of an already existing and known attack pattern on low-latency anonymity systems * The technique presented in this paper is only a threat if your threat model is an adversary that can control your entry guard and the server you are trying to communicate with, but does not have the budget for packet-level correlation attacks * This technique does not achieve sufficiently high accuracy and sufficiently low false positives to reliably identify arbitrary Tor users, but might be more successful if used in combination with a prior hypothesis that, say, a specific NSA employee is communicating with GlobalLeaks. [0] https://mice.cs.columbia.edu/getTechreport.php?techreportID=... [1] http://archives.seul.org/or/dev/Sep-2008/msg00016.html On Fri, Nov 14, 2014 at 12:25 PM, Josh Steiner <[email protected]> wrote: > Well this certainly is a scary headline, anyone in the know have any > comment or seen any good responses yet? > > http://thestack.com/chakravarty-tor-traffic-analysis-141114 > > Research undertaken between 2008 and 2014 suggests that more than 81% > of Tor clients can be ‘de-anonymised’ – their originating IP addresses > revealed – by exploiting the ‘Netflow’ technology that Cisco has built > into its router protocols, and similar traffic analysis software > running by default in the hardware of other manufacturers. > > Professor Sambuddho Chakravarty, a former researcher at Columbia > University’s Network Security Lab and now researching Network > Anonymity and Privacy at the Indraprastha Institute of Information > Technology in Delhi, has co-published a series of papers over the last > six years outlining the attack vector, and claims a 100% ‘decloaking’ > success rate under laboratory conditions, and 81.4% in the actual > wilds of the Tor network. > > Chakravarty’s technique [PDF] involves introducing disturbances in the > highly-regulated environs of Onion Router protocols using a modified > public Tor server running on Linux - hosted at the time at Columbia > University. His work on large-scale traffic analysis attacks in the > Tor environment has convinced him that a well-resourced organisation > could achieve an extremely high capacity to de-anonymise Tor traffic > on an ad hoc basis – but also that one would not necessarily need the > resources of a nation state to do so, stating that a single AS > (Autonomous System) could monitor more than 39% of randomly-generated > Tor circuits. > > ... _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
