New research claims the efforts expended on the Tor project may be focusing on the wrong issues because “its use of DNS has received little attention,” and researchers have proven DNS monitoring can be used to deanonymize Tor users.
The finding, published in the paper “The Effect of DNS on Tor’s Anonymity,” was a collaborative effort between researchers at the KTH Royal Institute of Technology in Stockholm, Sweden; Karlstad University in Karlstad, Sweden; and Princeton University in Princeton, N.J.
In a blog post on the topic, one of the researchers, Philipp Winter, postdoctoral researcher in computer science at Princeton University, said a significant fraction of Tor exit relays send DNS requests to Google’s public domain name resolvers, which creates a centralized point of control and observation where DNS monitoring can be used in an attack — something Tor was designed to avoid.
“It is well-understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries,” Winter wrote. “We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network. Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client’s identity (her IP address) to her activity (e.g., visiting Facebook), and thus, break anonymity.”
Lance James, chief scientist at Flashpoint, told SearchSecurity DNS monitoring attacks have commonly been an issue for Tor.
“This attack isn’t completely new in nature. There is research from multiple parties that have known this for a while, specifically using Google’s 18.104.22.168 [resolver,]” James said. “In reality, Google’s DNS probably has the widest view of Tor-leaked traffic on the internet, and with a data set of that size and detail one can do amazing research with traffic analysis — not that they would per se.”
According to the research, Google’s public DNS servers can at times comprise 40% of exit bandwidth of Tor users, which they said is “an alarmingly high number for a single organization” and that Tor relay operators “should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.”
“We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks,” researchers wrote. “Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites.”
James said these DNS monitoring techniques aren’t trivial and require access to controlling the autonomous system network like Google or an ISP.
“This attack will likely be deployed at a specific target, not a general Tor user. In many cases in the U.S., if you are targeted specifically it is due to breaking the law or doing something that causes concern to national security,” James said. “In other countries this rule tends to apply as well. Dissidents that expect protection from Tor could be in danger, but in the reality, using Tor in itself is already a fingerprint and this attack would not matter if the adversary is at the ISP level.”
Winter said this research shouldn’t necessarily create immediate cause for concern.
“Adversaries that can already monitor large fractions of the internet — for many people, the biggest threat — will not do any better with our attack,” Winter wrote. “Instead, we investigate how ‘semi-global’ adversaries can get the most out of the data they have. Finally, the Tor Project is already working on techniques to make website fingerprinting attacks harder.”