Deanonymizing Tor users with Raptor attacks

A group of researchers from Princeton University and ETH Zurich have found yet another way to deanonymize Tor users.

“There are essentially two ways for an adversary to gain visibility into Tor traffic, either by compromising (or owning enough) Tor relays or by manipulating the underlying network communications so as to put herself on the forwarding path for Tor traffic,” they explained. “Regarding network threats, large Autonomous Systems (ASes) such as ISPs can easily eavesdrop on a portion of all links, and observe any unencrypted information, packet headers, packet timing, and packet size.”

Unfortunately, it has been shown that the latter type of attacks have been executed by intelligence agencies in collusion with ASes.

The researchers have demonstrated the effectiveness a suite of traffic analysis attacks that deanonymize Tor users. They dubbed the lot Raptor attacks.

“Raptor attacks are composed of three individual attacks whose effects are compounded. First, Raptor exploits the asymmetric nature of Internet routing: the BGP path from a sender to a receiver can be different than the BGP path from the receiver to the sender. Internet routing asymmetry increases the chance of an AS-level adversary observing at least one direction of both communication endpoints, enabling a novel asymmetric traffic analysis attack,” they noted.

“Second, Raptor exploits natural churn in Internet routing: BGP paths change over time due to link or router failures, setup of new Internet links or peering relationships, or changes in AS routing policies. Changes in BGP paths allow ASes to observe additional Tor traffic, enabling them to deanonymize an increasing number of Tor clients over time. Third, Raptor exploits the inherent insecurity of Internet routing: strategic adversaries can manipulate Internet routing via BGP hijack and BGP interception attacks against the Tor network. These attacks enable the adversary to observe user communications, and to deanonymize clients via traffic analysis.”

The attacks were tested against both historical BGP data and Traceroute data, and on the live Tor network (they made sure not to harm users). The results were more than good: asymmetric traffic analysis attacks deanonymized users with a 95% accuracy, their BGP interception attack deanonymized Tor sources with a 90% accuracy.

Finally, they shared mitigation techniques and approaches to detect and prevent these attacks.