DefecTor: DNS-enhanced correlation attacks against Tor users

A group of researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology have devised two new correlation attacks that can be leveraged to deanonymize Tor users.

Collectively dubbed DefecTor, the attacks should improve the efficacy of existing website fingerprinting attacks through the attacker’s ability to observe DNS traffic from Tor exit relays. Simulations of the attacks generated great-to-perfect results – the latter mostly when identifying visitors to infrequently visited sites.

It has to be noted that while the attacks were simulated, worked well in simulations, and could in reality be pulled off by just a few entities, according to the researchers “they require non-trivial engineering effort to be reliable, and The Tor Project is already working on improved website fingerprinting defenses.”

DefecTor: DNS-enhanced correlation attacks against Tor users

“It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries [i.e. those that can monitor both network traffic that enters and exits the network],” says Phillip Winter, a postdoctoral researcher in computer science at Princeton University and one of the group behind this latest research.

DefecTor attacks, on the other hand, can be leveraged by “semi-global” adversaries.

One of the most notable ones is Google, as it operates public DNS servers that observe almost 40% of all DNS requests exiting the Tor network.

“Additionally, Google can monitor some network traffic that is entering the Tor network: for example, via Google Fiber, via guard relays that are occasionally run in Google’s cloud, and formerly via meek app engine, which is now defunct,” Winter explains.

The researchers also found that DNS requests often traverse autonomous systems that the TCP connections made via Tor don’t transit, and this enables them to gain information about Tor users’ traffic.

While Tor developers are already working on implementing techniques to make website fingerprinting attacks harder to execute, there are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity into how exit relays resolve DNS domains.

The researchers added that their paper has yet to be peer reviewed, but if you’re interested in replicating their research, they have provided code, data, and replication instructions here.

Update, 13:05 PM PST: Wording has been updated to note the attacks were simulated and would require considerable effort to pull off in practice. The link to the PDF of the research was changed to that of the project page.