[tor-talk] de-anonymization by correlating circuit changes

Paul Syverson syverson at itd.nrl.navy.mil
Sun Aug 21 12:52:26 UTC 2011


On Sat, Aug 20, 2011 at 05:18:38PM +0200, bemoo129 at hushmail.com wrote:
> Okay, but my question was, how traffic could be correlated if the 
> atttacker has traffic-logs from all servers a possible user could 
> use (e.g. all server operated by one provider/in one country) - but 
> he does not know the user himself.
> 
> So, he could follow the tcp-stream,i think: At first, he examines 
> the log of the exit-node, an he detects, that there is some 
> specific traffic ingoing and ountgoing at the same time. And then, 
> he follows this stream through the other relays...
> 
You mentioned having traffic logs from all possible servers.
If by "servers" you mean 'honestly and properly run Tor relays',
then those logs do not exist, so what you are saying is not possible.

But if the adversary is watching both ends of the connection, he will
know which user IP address is connected to which destination. This is
much easier than following the stream through the relays. "Watching
both ends" could be any of many things. Here are a few. He could be at
the user ISP and at the destination server. Or he could be at an AS or
IX between the user and the first Tor relay and also between the last
Tor relay and the web server the user is connecting to. Or he could
have compromised or simply own the Tor relay at both ends of the
circuit at the time the connection is made. If any of those are true,
he does not need to look at all the relays in the circuit. He can
easily correlated the traffic patterns at both ends to determine which
connections match up. In a 2007 paper, Bauer et al., showed that it
was not even necessary to send any traffic over the circuit to do the
correlation. It is enough to watch the circuit creation.

The too-terse way we have said this since about 1996 is that onion
routing protects against traffic analysis, not traffic confirmation.
The countermeasure you suggested is one of many that have been
investigated. State of the art is probably the following.
http://www.cs.yale.edu/homes/jf/FJS-PETS2010.pdf 
But nothing that is both adequately practical and effective has been
discovered by any of the researchers who have investigated it, nor do
I think ever will be, at least for general purposes.  As Curious Kid
noted, Tor does not attempt to prevent this because there is no
practical way for it to do so.

HTH,
Paul



More information about the tor-talk mailing list