The Tor Project has disclosed details of an attack which appeared to be an attempt to deanonymize users of the popular anonymity network.
According to Tor Project Leader Roger Dingledine, the attack was detected on July 4 while the organization was trying to identify attacks leveraging a method discovered by researchers at Carnegie Mellon University’s CERT.
The researchers, Michael McCord and Alexander Volynkin, planned on detailing a way to break the anonymity network by exploiting fundamental flaws in its design and implementation at the upcoming Black Hat security conference, but their presentation was cancelled because their materials had not been approved for public release by the Software Engineering Institute at Carnegie Mellon University.
Dingledine believes that the attack they’ve detected could have been part of the experiments conducted by McCord and Volynkin. In fact, in the abstract of their presentation, which has been removed from the Black Hat website, the researchers claimed they had tested their method in the wild. Dingledine hopes that they were the ones conducting the attacks, but he’s not sure since the experts haven’t answered emails lately.
The Tor Project has been displeased with the fact that the researchers haven’t given them full access to the research. Dingledine says they’ve spent several months trying to get the information they needed to understand the flaws that expose Tor users.
The attack detected on July 4 was a combination of a traffic confirmation attack and a Sybil attack. The traffic confirmation attack involves controlling or monitoring relays (the nodes that receive traffic and then pass it along) in an effort to deanonymize users. The Sybil attack involved setting up roughly 115 new relays, which joined the network on January 30, but were only discovered on July 4. During the five-month period, these relays became entry guards for a large number of users, Dingledine said.
It’s uncertain when the attack started, but users who operated or accessed hidden services between early February and July 4 should assume they’re affected, Dingledine added.
“Unfortunately, it’s still unclear what ‘affected’ includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service,” the Tor Project leader wrote in a blog post.
“In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.”
The protocol vulnerability exploited in the attack was patched on Wednesday with the release of Tor 0.2.4.23 and 0.2.5.6-alpha. All relay operators are advised to update their installations.
“Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service,” Dingledine said.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- New York Man Arrested for Running BreachForums Cybercrime Website
- Exploitation of Recent Fortinet Zero-Day Linked to Chinese Cyberspies
- Mozilla Patches High-Severity Vulnerabilities With Release of Firefox 111
- Microsoft: 17 European Nations Targeted by Russia in 2023 as Espionage Ramping Up
Latest News
- Verosint Launches Account Fraud Detection and Prevention Platform
- Ransomware Gang Publishes Data Allegedly Stolen From Maritime Firm Royal Dirkzwager
- Zoom Paid Out $3.9 Million in Bug Bounties in 2022
- Oleria Scores $8M Seed Funding for ID Authentication Technology
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- News Analysis: UK Commits $3 Billion to Support National Quantum Strategy
- Malicious NuGet Packages Used to Target .NET Developers
- Google Pixel Vulnerability Allows Recovery of Cropped Screenshots
