1. bookVolume 2022 (2022): Issue 1 (January 2022)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

From “Onion Not Found” to Guard Discovery

Published Online: 20 Nov 2021
Page range: 522 - 543
Received: 31 May 2021
Accepted: 16 Sep 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

We present a novel web-based attack that identifies a Tor user’s guard in a matter of seconds. Our attack is low-cost, fast, and stealthy. It requires only a moderate amount of resources and can be deployed by website owners, third-party script providers, and malicious exits—if the website traffic is unencrypted. The attack works by injecting resources from non-existing onion service addresses into a webpage. Upon visiting the attack webpage with Tor Browser, the victim’s Tor client creates many circuits to look up the non-existing addresses. This allows middle relays controlled by the adversary to detect the distinctive traffic pattern of the “404 Not Found” lookups and identify the victim’s guard. We evaluate our attack with extensive simulations and live Tor network measurements, taking a range of victim machine, network, and geolocation configurations into account. We find that an adversary running a small number of HSDirs and providing 5 % of Tor’s relay bandwidth needs 12.06 seconds to identify the guards of 50 % of the victims, while it takes 22.01 seconds to discover 90 % of the victims’ guards. Finally, we evaluate a set of countermeasures against our attack including a defense that we develop based on a token bucket and the recently proposed Vanguards-lite defense in Tor.

Keywords

[1] T. G. Abbott, K. J. Lai, M. R. Lieberman, and E. C. Price. Browser-Based Attacks on Tor. In International Workshop on Privacy Enhancing Technologies, pages 184–199. Springer, 2007. Search in Google Scholar

[2] G. Acar. Tor can be forced to open too many circuits by embedding.onion resources (#20212) · Issues · The Tor Project / Core / Tor, 9 2016. URL https://gitlab.torproject.org/tpo/core/tor/-/issues/20212. Search in Google Scholar

[3] G. Acar, M. Juarez, and individual contributors. GitHub: torbrowser-selenium - Tor Browser automation with Selenium, 2020. URL https://github.com/webfp/tor-browser-selenium. [Online, accessed 2021/09/14]. Search in Google Scholar

[4] A. Biryukov, I. Pustogarov, and R.-P. Weinmann. Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization. In 2013 IEEE Symposium on Security and Privacy. IEEE, 2013. Search in Google Scholar

[5] A. Biryukov, I. Pustogarov, F. Thill, and R.-P. Weinmann. Content and Popularity Analysis of Tor Hidden Services. In 2014 IEEE 34th International Conference on Distributed Computing Systems Workshops (ICDCSW). IEEE, 2014. Search in Google Scholar

[6] Boing Boing. What happened when we got subpoenaed over our Tor exit node, 8 2015. URL https://boingboing.net/2015/08/04/what-happened-when-the-fbi-sub.html. [Online, accessed 2021/09/14]. Search in Google Scholar

[7] N. Borisov, G. Danezis, P. Mittal, and P. Tabriz. Denial of Service or Denial of Security? In Proceedings of the 14th ACM conference on Computer and communications security. ACM, 2007. Search in Google Scholar

[8] R. Dingledine. The lifecycle of a new relay, 9 2013. URL https://blog.torproject.org/lifecycle-new-relay. [Online, accessed 2021/09/14]. Search in Google Scholar

[9] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The Second-Generation Onion Router. In 13th USENIX Security Symposium. USENIX Association, 2004. Search in Google Scholar

[10] R. Dingledine, N. Hopper, G. Kadianakis, and N. Mathewson. One Fast Guard for Life (or 9 months). In 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014), 2014. Search in Google Scholar

[11] T. Durden. [tor-relays] Subpoena received, 4 2015. URL https://lists.torproject.org/pipermail/tor-relays/2015-April/006804.html. [Online, accessed 2021/09/14]. Search in Google Scholar

[12] T. Elahi, K. Bauer, M. AlSabah, R. Dingledine, and I. Goldberg. Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor. In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society. ACM, 2012. Search in Google Scholar

[13] N. S. Evans, R. Dingledine, and C. Grothoff. A Practical Congestion Attack on Tor Using Long Paths. In USENIX Security Symposium, 2009. Search in Google Scholar

[14] Federal Communications Commission, Office of Engineering and Technology. Tenth Measuring Broadband America Fixed Broadband Report, 1 2021. URL https://www.fcc.gov/reports-research/reports/measuring-broadband-america/measuring-fixed-broadband-tenth-report. [Online, accessed 2021/09/14]. Search in Google Scholar

[15] D. Goulet. Onion Service version 2 deprecation timeline, 7 2020. URL https://blog.torproject.org/v2-deprecationtimeline. [Online, accessed 2021/09/14]. Search in Google Scholar

[16] D. Goulet. [tor-dev] Onion Service v2 Deprecation Timeline, 6 2020. URL https://lists.torproject.org/pipermail/tor-dev/2020-June/014365.html. [Online, accessed 2021/09/14]. Search in Google Scholar

[17] Hetzner Online GmbH. Hetzner Cloud: Pricing, n.d. URL https://www.hetzner.com/cloud?country=gb#pricing. [Online, accessed 2021/09/14]. Search in Google Scholar

[18] N. Hopper, E. Y. Vasserman, and E. Chan-Tin. How Much Anonymity Does Network Latency Leak? ACM Transactions on Information and System Security (TISSEC), 13(2), 2010. Search in Google Scholar

[19] isabela. Tor security advisory: exit relays running sslstrip in May and June 2020 | Tor Blog, 8 2020. URL https://blog.torproject.org/bad-exit-relays-may-june-2020. [Online, accessed 2021/09/14]. Search in Google Scholar

[20] R. Jansen and N. Hopper. Shadow: Running Tor in a Box for Accurate and Efficient Experimentation. In Network and Distributed Systems Security (NDSS) Symposium 2012. Internet Society, 2 2012. Search in Google Scholar

[21] R. Jansen, F. Tschorsch, A. Johnson, and B. Scheuermann. The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network. In Network and Distributed Systems Security (NDSS) Symposium 2014. Internet Society, 2 2014. Search in Google Scholar

[22] R. Jansen, M. Juarez, R. Galvez, T. Elahi, and C. Diaz. Inside Job: Applying Traffic Analysis to Measure Tor from Within. In Network and Distributed Systems Security (NDSS) Symposium 2018. Internet Society, 2018. Search in Google Scholar

[23] R. Jansen, T. Vaidya, and M. Sherr. Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor. In 28th {USENIX} Security Symposium ({USENIX} Security 19). USENIX Association, 2019. Search in Google Scholar

[24] R. Jansen, J. Tracey, and I. Goldberg. Once is Never Enough: Foundations for Sound Statistical Inference in Tor Network Experimentation. In 30th USENIX Security Symposium. USENIX Association, 2021. Search in Google Scholar

[25] A. Johnson, C. Wacek, R. Jansen, M. Sherr, and P. Syverson. Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013. Search in Google Scholar

[26] D. Johnson. Stem: a Python controller library for Tor, n.d. URL https://stem.torproject.org/. [Online, accessed 2021/09/14]. Search in Google Scholar

[27] G. Kadianakis. [tor-dev] [RFC] Proposal 332: Vanguards lite, 6 2021. URL https://lists.torproject.org/pipermail/tor-dev/2021-June/014569.html. [Online, accessed 2021/09/14]. Search in Google Scholar

[28] G. Kadianakis and M. Perry. Mesh-based vanguards, 05 2018. URL https://gitweb.torproject.org/torspec.git/tree/proposals/292-mesh-vanguards.txt. [Online, accessed 2021/09/14]. Search in Google Scholar

[29] A. Kwon, M. AlSabah, D. Lazar, M. Dacier, and S. Devadas. Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services. In 24th USENIX Security Symposium, pages 287–302. USENIX Association, 8 2015. Search in Google Scholar

[30] I. Lovecruft, G. Kadianakis, O. Bini, and N. Mathewson. Tor Guard Specification, n.d. URL https://gitweb.torproject.org/torspec.git/tree/guard-spec.txt. [Online, accessed 2021/09/14]. Search in Google Scholar

[31] A. Mani, T. Wilson-Brown, R. Jansen, A. Johnson, and M. Sherr. Understanding Tor Usage with Privacy-Preserving Measurement. In Proceedings of the Internet Measurement Conference 2018. ACM, 2018. Search in Google Scholar

[32] P. Mittal, A. Khurshid, J. Juen, M. Caesar, and N. Borisov. Stealthy Traffic Analysis of Low-Latency Anonymous Communication Using Throughput Fingerprinting. In Proceedings of the 18th ACM conference on Computer and Communications Security. ACM, 2011. Search in Google Scholar

[33] Mozilla and individual contributors. Network Monitor -Firefox Developer Tools | MDN, 2 2021. URL https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor. [Online, accessed 2021/09/14]. Search in Google Scholar

[34] Mozilla and individual contributors. <noscript> - HTML: HyperText Markup Language | MDN, 2 2021. URL https://developer.mozilla.org/en-US/docs/Web/HTML/Element/noscript. [Online, accessed 2021/09/14]. Search in Google Scholar

[35] A. Muffett. GitHub: Real-World Onion Sites, n.d. URL https://github.com/alecmuffett/real-world-onion-sites. [Online, accessed 2021/09/14]. Search in Google Scholar

[36] M. Nasr, A. Bahramali, and A. Houmansadr. DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning. In CCS ’18. ACM, 2018. Search in Google Scholar

[37] A. Panchenko, F. Lanze, J. Pennekamp, T. Engel, A. Zinnen, M. Henze, and K. Wehrle. Website Fingerprinting at Internet Scale. In Network and Distributed Systems Security (NDSS) Symposium 2016. Internet Society, 2016. Search in Google Scholar

[38] M. Perry. The move to two guard nodes, 3 2018. URL https://gitweb.torproject.org/torspec.git/tree/proposals/291-two-guard-nodes.txt. [Online, accessed 2021/09/14]. Search in Google Scholar

[39] M. Perry, E. Clark, S. Murdoch, and G. Koppen. The Design and Implementation of the Tor Browser [DRAFT], 6 2018. URL https://www.torproject.org/projects/torbrowser/design/. [Online, accessed 2021/09/14]. Search in Google Scholar

[40] M. Perry et al. GitHub: The Vanguards Onion Service Addon, n.d. URL https://github.com/mikeperry-tor/vanguards. [Online, accessed 2021/09/14]. Search in Google Scholar

[41] F. Rochet and O. Pereira. Dropping on the Edge: Flexibility and Traffic Confirmation in Onion Routing Protocols. Proceedings on Privacy Enhancing Technologies, 2018(2), 2018. Search in Google Scholar

[42] Shadow Team. GitHub: TGen, n.d. URL https://github.com/shadow/tgen. [Online, accessed 2021/09/14]. Search in Google Scholar

[43] Shadow Team. GitHub: tornettools, n.d. URL https://github.com/shadow/tornettools. [Online, accessed 2021/09/14]. Search in Google Scholar

[44] P. Sirinam, M. Imani, M. Juarez, and M. Wright. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2018. Search in Google Scholar

[45] P. Tellis. Analyzing Network Characteristics Using JavaScript And The DOM, Part 1, 11 2011. URL https://www.smashingmagazine.com/2011/11/analyzing-network-characteristics-using-javascript-and-the-dom-part-1. [Online, accessed 2021/09/14]. Search in Google Scholar

[46] The Tor Project. Make it even harder to become HSDir (#19162) · Issues · The Tor Project / Core / Tor, 5 2016. URL https://gitlab.torproject.org/tpo/core/tor/-/issues/19162. [Online, accessed 2021/09/14]. Search in Google Scholar

[47] The Tor Project. #9063 enables Guard discovery in about an hour by websites (#9072) · Issues · Legacy / Trac, 2 2021. URL https://gitlab.torproject.org/legacy/trac/-/issues/9072. [Online, accessed 2021/09/14]. Search in Google Scholar

[48] The Tor Project. Build vanguards lite into little-t-tor (#40363) · Issues · The Tor Project / Core / Tor, 4 2021. URL https://gitlab.torproject.org/tpo/core/tor/-/issues/40363. [Online, accessed 2021/09/14]. Search in Google Scholar

[49] The Tor Project. Introduce vanguards-lite (!408) · Merge requests · The Tor Project / Core / Tor, 7 2021. URL https://gitlab.torproject.org/tpo/core/tor/-/merge_requests/408/diffs#fb72b9489ffeb300a7d2e454d0407f5947ecfdc4_3933_4144. [Online, accessed 2021/09/14]. Search in Google Scholar

[50] The Tor Project. Onion Services | Tor Project | Support, n.d. URL https://support.torproject.org/onionservices/#onionservices-5. [Online, accessed 2021/09/14]. Search in Google Scholar

[51] The Tor Project. Tor directory protocol, version 3, n.d. URL https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt. [Online, accessed 2021/09/14]. Search in Google Scholar

[52] The Tor Project. Tor Metrics: Traffic, n.d. URL https://metrics.torproject.org/bandwidth-flags.html. [Online, accessed 2021/09/14]. Search in Google Scholar

[53] The Tor Project. Relay requirements, n.d. URL https://community.torproject.org/relay/relays-requirements/. [Online, accessed 2021/09/14]. Search in Google Scholar

[54] The Tor Project. Tor Rendezvous Specification, n.d. URL https://gitweb.torproject.org/torspec.git/tree/rend-spec-v2.txt. [Online, accessed 2021/09/14]. Search in Google Scholar

[55] The Tor Project. Tor Rendezvous Specification - Version 3, n.d. URL https://gitweb.torproject.org/torspec.git/tree/rend-spec-v3.txt. [Online, accessed 2021/09/14]. Search in Google Scholar

[56] torservers.net. Coordinated raids of Zwiebelfreunde at various locations in Germany, 7 2018. URL https://blog.torservers.net/20180704/coordinated-raids-ofzwiebelfreunde-at-various-locations-in-germany.html. [Online, accessed 2021/09/14]. Search in Google Scholar

[57] T. Wang and I. Goldberg. On Realistically Attacking Tor with Website Fingerprinting. Proceedings on Privacy Enhancing Technologies, 2016(4), 2016. Search in Google Scholar

[58] T. Wang, X. Cai, R. Nithyanand, R. Johnson, and I. Goldberg. Effective Attacks and Provable Defenses for Website Fingerprinting. In 23rd {USENIX} Security Symposium ({USENIX} Security 14). USENIX Association, 2014. Search in Google Scholar

[59] P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl. Spoiled Onions: Exposing Malicious Tor Exit Relays. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 2014. Search in Google Scholar

[60] M. Wright, M. Adler, B. N. Levine, and C. Shields. Defending Anonymous Communications Against Passive Logging Attacks. In 2003 Symposium on Security and Privacy, pages 28–41. IEEE, 2003. Search in Google Scholar

[61] M. K. Wright, M. Adler, B. N. Levine, and C. Shields. The Predecessor Attack: An Analysis of a Threat to Anonymous Communications Systems. ACM Transactions on Information and System Security (TISSEC), 7(4):489–522, 2004. Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo