May 28th, 2007 at 06:58 UTC by Steven J. Murdoch
Users of the Tor anonymous communication system are at risk of being tracked by an adversary who can monitor both the traffic entering and leaving the network. This weakness is well known to the designers and currently there is no known practical way to resist such attacks, while maintaining the low-latency demanded by applications such as web browsing. For this reason, it seems intuitively clear that when selecting a path through the Tor network, it would be beneficial to select the nodes to be in different countries. Hopefully government-level adversaries will find it problematic to track cross-border connections as mutual legal assistance is slow, if it even works at all. Non-government adversaries might also find that their influence drops off at national boundaries too.
Implementing secure IP-based geolocation is hard, but even if it were possible, the technique might not help and could perhaps even harm security. The PET Award nominated paper, “Location Diversity in Anonymity Networks“, by Nick Feamster and Roger Dingledine showed that international Internet connections cross a comparatively small number of tier-1 ISPs. Thus, by forcing one or more of these companies to co-operate, a large proportion of connections through an anonymity network could be traced.
The results of Feamster and Dingledine’s paper suggest that it may be better to bounce anonymity traffic around within a country, because it is less likely that there will be a single ISP monitoring incoming and outgoing traffic to several nodes. However, this only appears to be the case because they used BGP data to build a map of Autonomous Systems (ASes), which roughly correspond to ISPs. Actually, inter-ISP traffic (especially in Europe) might travel through an Internet eXchange (IX), a fact not apparent from BGP data. Our paper, “Sampled Traffic Analysis by Internet-Exchange-Level Adversaries“, by Steven J. Murdoch and Piotr Zieliński, examines the consequences of this observation.
We discuss what happens when IXes are considered in location diversity models and show that, at least in the UK, IXes are better locations for launching traffic analysis attacks, when compared to any individual ISP. What is more, some IXes (including LINX and AMS-IX) even record the header of around one in every few thousand packets, through the sFlow capabilities of their switches. Hence, an attacker wouldn’t have to install monitoring equipment of their own, they just need to get access to data already collected. Our paper also shows that traffic analysis attacks on sampled data, even at such a low rate, still work.
This figure shows the top 10 ASes between the UK Tor nodes in our sample and the rest of the Tor network. Connections going through LINX are shown in red, AMS-IX in blue and DE-CIX (the German IX) in green. While 22% of connections pass through the tier-1 ISP Level 3, even more (27%) passes through LINX. The full details can be found in Section 3.1 of our paper.
So what does this mean for Tor users? Right now there is no particular need to worry – this paper introduces a new class of adversary, and reduces the cost estimate of the attack, but fundementally end-to-end traffic analysis is not new. There remains much work to be done before implementation of defences can begin, such as verifying the hypothesis on a larger scale and establishing how to perform secure traceroute-based network mapping on Tor. I think this paper shows that this is a promising area of research and I hope it will spur further development.
Our paper will be presented at the 7th Workshop on Privacy Enhancing Technologies (PET 2007) held in Ottawa, Canada, June 20–22 and the final version will be published in Springer LNCS.