Short Bytes: Researchers from the Princeton University, Karlstad University, and KTH Royal Institute of Technology have published a paper which brings to light the use of DNS traffic of the Tor network to initiate website fingerprinting attacks and reveal the identity of a Tor user.
A new research “The Effect of DNS on Tor’s Anonymity” strengthens the belief that the Tor Network can be compromised to uncover its users’ anonymity. The researchers from the Princeton University, Karlstad University, and KTH Royal Institute of Technology have worked to model website fingerprinting attacks by using DNS traffic and uncover Tor users’ identity.
“It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries,” the researchers said. “We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network.”
“Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client’s identity (her IP address) to her activity (e.g., visiting Facebook), and thus, break anonymity.”
The researchers said that the DNS traffic takes a different path in the Tor network than the regular web traffic which goes from user’s exit node to one or more servers. They note that the fact, DNS traffic can be used to initiate a correlation attack, is highly underestimated in past researches.
“In our work, we show how an adversary can combine monitored DNS requests with well-understood website fingerprinting attacks to create a new type of DNS-enhanced correlation attack, or DNS-enhanced website fingerprinting attack, depending on how you look at it.”
The researchers have mentioned in their paper that almost 40% of the total DNS requests on the Tor network are resolved using Google’s public DNS servers. It’s an “alarmingly high fraction for a single company”. It defies Tor’s original motive of keeping the network decentralized and reduce common points for control and observation.
They acknowledge that such organizations which have access to the DNS traffic are in a position to initiate a highly reliable fingerprinting attack. The attack works better in the case of websites which are not visited much frequently over the Tor network.
On the basis of simulation data, the researchers believe that if all Tor users host the DNS resolvers on local servers, the situation would become better but it would leave the DNS request data unprotected from network-level adversaries.
What it’s in it for the Tor users?
There is no immediate concern for the Tor users, the researcher believe. “Adversaries that can already monitor large fractions of the Internet—for many people, the biggest threat—will not do any better with our attack.”
The Tor network has been used by many people to hide their IP addresses. People like Edward Snowden have also used it to leak confidential information. It also serves as the doorway to the dark web where people indulge themselves in illegal activities and students make efforts to DDoS their schools. Hence, some security agencies might feel the need to bring down the onion router network.
If you have something to add, tell us in the comments below.
Also Read: Tor Honeypot: How to Hack True Identity of Tor Users