About 81 percent of Tor users can be identified using Cisco's NetFlow tool
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 17, 2014
The Tor project is trying its very best to calm its users after new research found that 81 percent of Tor users could be easily identified using Cisco's NetFlow tool.
A research effort led by professor Sambuddah Chakravarty from the Indraprastha Institute of Information Technology in India found that well-resourced attackers such as a nation-state could effectively reveal Tor users' identity with a false-positive rate of six percent, while an autonomous system could reveal about 39 percent of Tor users.
Chakravarty's research, run on a high performance research server within the University, worked in part due to the low-latency design of Tor.
"To achieve an acceptable quality of service, Tor systems attempt to preserve packet interarrival characteristics, such as inter-packet delay," Chakravarty wrote in the paper On the Effectiveness of Traffic Analysis Against Anonymity Networks using NetFlow Records.
"Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.
"Although the capacity of current networks makes packet-level monitoring at such a scale quite challenging, adversaries could potentially use less accurate but readily available traffic monitoring functionality, such as Cisco's NetFlow, to mount large-scale traffic analysis attacks."
The active traffic analysis method was based on creating and monitoring 'deliberate perturbances' on server side user traffic and observing output on the client side through statistical correlation.
A team of five people tested the technique with a public Tor relay serving hundreds of users.
"Our method revealed the actual sources of anonymous traffic with 100 percent accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4 percent for the real-world experiments, with an average false positive rate of 6.4 percent.
Tor Project leader Roger Dingledine described the research, first discussed at the Passive and Active Measurement Conference in March, as valuable but pointed out the traffic correlation attacks were not a new area of research.
"The discussion of false positives is key to this new paper as well-- Sambuddho's work mentions a false positive rate of six percent. It's easy to see how at that scale, this 'base rate fallacy' issue could make the attack effectively useless," Dingledine said in a post.
"I should also emphasize that whether this attack can be performed at all has to do with how much of the internet the adversary is able to measure or control."
Dingledine added "It's great to see more research on traffic confirmation attacks, but traffic confirmation attacks are not a new area so don't freak out without actually reading the papers, and this particular one doesn't supersede all the previous papers."
Chakravarty worked along with Marco Barbera; Georgios Portokalidis; Michalis Polychronakis, and Angelos Keromy from the universities of Sapienza and Columbia, and the Stevens Institute of Technology.
The Tor Project.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!