Researchers have disclosed a theoretical attack scenario that could allow global or semi-global adversaries to leverage Domain Name System (DNS) traffic to deanonymize Tor users.
The web traffic of nearly 2 million users who want to remain anonymous passes through the Tor network’s roughly 7,000 relays each day. While Tor is generally efficient in protecting an individual’s privacy, experts have identified some theoretical and practical attack methods that could expose users.
One practical attack method, which led to the identification of many alleged criminals that had used the Tor network, involved setting up many new relays. Other attack methods, which are more difficult to carry out on a large scale, involve global adversaries that have the ability to monitor the traffic that enters and exits the Tor network, which enables them to link individual users to the websites they visit.
Studies on these so-called correlation attacks have focused on observing TCP flows, including HTTP requests, BitTorrent connections and IRC sessions. However, a group of researchers from the KTH Royal Institute of Technology, Karlstad University and Princeton University have demonstrated that these types of attacks can be made even more efficient by using DNS.
The new attack method, dubbed “DefecTor,” relies on DNS traffic to improve precision. According to researchers, attackers can use a combination of DNS monitoring and known website fingerprinting techniques to launch more efficient correlation attacks.
These DNS-based attacks require a global or semi-global adversary that is capable of observing traffic entering and exiting the Tor network. One such entity is Google, which at one point handled more than 40 percent of all DNS requests exiting the Tor network. Google can also monitor some traffic entering the anonymity network via its Fiber service, and guard relays occasionally run in the company’s cloud. Researchers noted that Internet companies OVH and OpenDNS also have some visibility, but they cannot compare to Google.
Experiments have shown that DefecTor attacks are most efficient against websites that are infrequently visited via Tor. This can include censored websites and sites dedicated to activists and whistleblowers, which are typically accessed by users in most need of protection.
The DefecTor attack method does not pose an immediate threat and the Tor Project is already working on making website fingerprinting attacks more difficult to carry out. However, exit relay operators could mitigate such attacks by avoiding the use of public DNS resolvers, such as the ones provided by Google and OpenDNS, and instead rely on the resolvers provided by their Internet service provider (ISP) or run their own resolvers.
“Website fingerprinting attacks have long been a concern for the Tor network. The attacks that we present in this paper show that, when incorporating DNS query traffic, these attacks become even more accurate and powerful. We hope these findings underscore the urgency of eventually deploying strong defenses against fingerprinting attacks on the Tor network,” researchers said in their paper.