TOR: Hitting a client's anonymity using NetFlow

[OpenSourcerer 1435]

Ever heard of the NetFlow protocol? It's used to collect TCP/IP packet data and export them for later analysis. Developed by.. pause for effect.. Cisco! <3 And every Cisco router supports it. The reason why there's a vulnerabiliy which will never get closed? This is a conspiracy theory! Kill him!

..

Er.. yeah.

 

So, NetFlow. A few researchers at Columbia University recently published a paper in which they describe an attempt to use NetFlow against the TOR network. Well, not directly. Their goal is to evaluate "the effectiveness of using NetFlow data to perform practical traffic analysis attacks for identifying the source of anonymous communication", short and relevant version: "How effective is NetFlow when it comes to finding out the source of an anonymized connection with it?"

 

Tested in-lab and in the network, "we had 100% success rate in determining the source of anonymous flows [in-lab]. When evaluating our attack with traffic going through the public Tor relay, we were able to detect the source in 81.4% cases. We observed about 12.2% false negatives and 6.4% false positives in our measurements."

 

For everyone who wants to read the paper, here's the link. Let me know what you understand by source of an anonymous connection. Let's play a simplified taboo game: You must not use the term IP address because, well, that's not what is meant. If you want to know why, please proceed and read the answers.

Edited ... by giganerd

[Staff 9972]

Hello!

 

The implications of the paper are completely different than what the message seems to suggest. In particular how did you get the idea that "If you use TOR, there's a 81.6% chance someone knows your real IP." from the paper? It says quite the opposite, i.e. that even if the attack was successful, the likelihood to get your real IP address is astronomically low.

 

Besides paper reading, https://blog.torproject.org/blog/traffic-correlation-using-netflows can help. Do not miss the comments from the paper authors themselves.It looks like several persons are taking this paper implications at the exact opposite of what they are. Urban legends seem to spread very fast even nowadays.

 

Kind regards

[OpenSourcerer 1435]

Do not miss the comments from the paper authors themselves

 

Thank you for your addition. Proves that the numbers I gave are dead wrong.

 

In particular how did you get the idea that "If you use TOR, there's a 81.6% chance someone knows your real IP." from the paper?

 

Bad wording, really misunderstood that. Will delete it. BUT!

 

It says quite the opposite, i.e. that even if the attack was successful, the likelihood to get your real IP address is astronomically low.

 

They talk about identifying the source of an anonymous connection, and such a connection starts on a PC which has the "real" IP, I imagine, because this IP is running the client, and one of the "attack" points is the entry-to-client connection, that's what I understood. So it can indeed be used to identify your real IP:

Client sends request, goes through the TOR network. Arrives at server. Server is responding and appends a beep with the goal to crush the client's anonymity, pattern 111. Goes through the TOR network. Right after it left the entry relay and before it reaches the client a Correlation Coefficient is calculated. If this coefficient is close to 1, everyone already knows where the response with the appended 111 is: on the way to a special client, because NetFlow recorded this, and the client has that particular IP. BOOM. Anonymity lost, we can reconstruct the 111's way through the network, we reached the goal. That's how I imagine the attack to work.

 

And yes, for this to be successful you need an entity capable of observing at least some of the big IXPs to have suitable data.

[Staff 9972]

They talk about identifying the source of an anonymous connection, and such a connection starts on a PC which has the "real" IP, I imagine, because this IP is running the client, and one of the "attack" points is the entry-to-client connection, that's what I understood. So it can indeed be used to identify your real IP:

Client sends request, goes through the TOR network. Arrives at server. Server is responding and appends a beep with the goal to crush the client's anonymity, pattern 111. Goes through the TOR network. Right after it left the entry relay and before it reaches the client a Correlation Coefficient is calculated. If this coefficient is close to 1, everyone already knows where the response with the appended 111 is: on the way to a special client, because NetFlow recorded this, and the client has that particular IP. BOOM. Anonymity lost, we can reconstruct the 111's way through the network, we reached the goal. That's how I imagine the attack to work.

 

 

 

 

Hi!

 

How? Let's say we're a big "IXP" and we try to to disclose the IP address of a TOR user we really don't like. We perform a huge correlation attack for some days because for an unbelievable stroke of luck we can observe bots sides of the TOR network we're interested in (!). We observe a relatively modest amount of flows of let's say a hundred millions. We end up with more or less 6,400,000 matches. Now we have a chance that the IP address of that user is one of those 6,400,000. How do we discern it and discard the other 6,399,999 false positives?

 

Kind regards

[OpenSourcerer 1435]

Let's say we're a big "IXP"

 

No, we're not. Did you read the threat model section? You are a supranational advers... phew... wait.

 

Please tell me in your own words how you understand it.

Explain the attack: What are the prerequisites you need? How is it done? What do you find out after the attack?

[Staff 9972]

Hello,

 

even worse, let's say that you are NSA and perform this correlation attack, you end up observing a higher scale number of flows. Let's say x1000 in respect to our previous figures. Now you end up with a x1000 number of false positives.

 

Kind regards

[OpenSourcerer 1435]

Just asked an IT student about it. He said this attack doesn't scale well, a reason to not take it too serious (which I really did), but it'd be possible to uncover a client's IP with it, though certain circumstances must be there..

.. and I'm getting tired of this, honestly, I've got work to do here.. let's just stop the discussion. I'll edit the first post.

[qbtmnexhte 1]

You both seem to be missing the point. The paper describes the feasability of traffic analysis attacks against the Tor network. They of course don't have access to run this on a ISP level, but they ran their own Tor network and simulated an adversary that can monitor the traffic at the router level. They used NetFlow because it is already installed on Cisco routers, but also tested on open source tools, which gave the same results.

 

They found that in-house experiments could correlate the IP address of the client to the server 100% of the time. In their live Tor-network experiments, they were able to do it 81.4% of the time.

 

Snowden leaks have revealed that national-security agencies are actively monitoring traffic on backbone termination points, and I bet they have better tools than NetFlow. If you take all of this into consideration, it isn't hard to see that they can probably correlate the source IP address of a Tor client with a higher accuracy than 81.4%.

 

And you are correct, giganerd. When they talk about the "source of an anonymous connection", that refers to the real IP of the client.

 

So all in all, don't trust Tor, because it isn't what you think it is.

[volkerpispers 1]

The question is, why havent the 100.000ds of Junkies,pedophiles and Cybercriminals been taken down yet?

[Staff 9972]

You both seem to be missing the point. The paper describes the feasability of traffic analysis attacks against the Tor network. They of course don't have access to run this on a ISP level, but they ran their own Tor network and simulated an adversary that can monitor the traffic at the router level. They used NetFlow because it is already installed on Cisco routers, but also tested on open source tools, which gave the same results.

 

They found that in-house experiments could correlate the IP address of the client to the server 100% of the time. In their live Tor-network experiments, they were able to do it 81.4% of the time.

 

Hello,

 

an important point which shows how useless is this method is exactly this one. Even when you can monitor your own Tor network, you end up with 6% false positives, which does not allow you to discern anything useful at a big scale.

 

Kind regards