DNS traffic monitoring, a threat to Tor users’ anonymity

Image Source: Flickr/Philip Chapman-Bell
Tor Network Users May No Longer Enjoy Anonymity due to Exploitation of DNS Traffic Monitoring

Karlstad University researchers in collaboration with KTH Royal Institute of Technology and Princeton University have identified that the Domain Name System (DNS) can be monitored to reveal identities of Tor network users. In fact, the researchers have revealed that this method could help in tracing down Tor users with a high degree of accuracy.

Tor or Onion router is a very popular web browser that is operated by the non-profit Tor Project. It lets people surf the internet without disclosing their identities and almost two million users visit it on a daily basis. It is a relays and nodes based network that keeps the IP addresses of Tor users hidden. Its users mainly include journalists, activists and privacy-conscious individuals from across the globe. But Tor is also widely used by users who want to access Dark Web to perform illegal activities.

Must Read: New System by SafeDNS to Detect Malicious Internet Resources

According to the research team, the Tor project is quite “upfront about its limitations.” They further stated that low-latency anonymity networks like Tor are useless against global passive adversaries.

“We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network. Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client’s identity to her activity, and thus, break anonymity,” the team further explained.

The DNS’ job is to map domains into IP addresses, which are easy-to-read by machines, which let users access websites via human-readable identities instead of the numeric string. DNS is the internet’s building block but this vital system can also be used to expose identities of Tor users. Research suggests that the DNS requests monitoring when combined with fingerprinting techniques can generate a different kind of “DNS-enhanced website fingerprinting attack.”

Past traffic correlation studies have focused on linking the TCP stream entering the Tor network to the one(s) exiting the network. We show that an adversary can also link the associated DNS traffic, which can be exposed to many more autonomous systems than the TCP stream.
Past traffic correlation studies have focused on linking the TCP stream entering the Tor network to the one(s) exiting the network. We show that an adversary can also link the associated DNS traffic, which can be exposed to many more autonomous systems than the TCP stream.

The researchers said:

“The Tor Project is upfront about its limitations. [..] It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries.

The fingerprinting is a key technique to break the anonymity privilege offered by Tor because such passive adversaries utilize Tor network weaknesses to keep track of hidden services to be accessed prior to revealing the true IP addresses and the physical location of users and their servers.

Also Read: Mouse movements are enough to track down Tor users

Companies like Google that operate open DNS [PDF] resolvers can facilitate or make use of such techniques. Through DNS traffic monitoring, attackers can easily implement highly reliable fingerprinting attack especially on websites that aren’t visited frequently.

The research team has also identified that around one-third of the sent DNS requests via Tor’s exit relays are routed through public resolvers of Google and this is an alarmingly high “fraction for a single community.”

“Although Tor is reasonably decentralized, our work shows that this does not hold for the wider ecosystem that Tor exists in,” added the research team.

According to security experts, users of Tor has no immediate reason to feel concerned because the “adversaries that can already monitor large fractions of the internet … will not do any better with our attack.”

Related:  7 Online Activities That Can Get You Arrested

A tool named DNS Delegation Path Traceroute (ddptr) has also been released by the team that helps in tracing DNS delegation path for a qualified domain name. It later runs UDP traceroutes across all DNS servers present on the path.

Newest Sales

Written by Uzair Amir

I am an Electronic Engineer, an Android Game Developer and a Tech writer. I am into music, snooker and my life motto is 'Do my best, so that I can't blame myself for anything.'