81 percent of Tor clients can be identified with traffic analysis attack
The research revealed that more than 81 percent of Tor clients can be de-anonymized by exploiting the Netflow technology designed by Cisco for its network appliances.
The technique proposed by Chakravarty implements an active traffic analysis based on the introduction of specific traffic perturbations on server side and evaluating a similar perturbation on the client side through statistical correlation.
De-anonymization of Tor users is a primary goal for law enforcement and intelligence agencies, that having great computational resources are able to run similar attacks. Many experts speculate that also the recent Operation Onymous that allowed the seizure of several dark market places, including the popular #Silk_Road_2.0, may have exploited a traffic analysis attack against Tor network to identify the operators of the black markets.
On the Effectiveness of Traffic Analysis Against Anonymity Networks Using Flow Records
Abstract— Low-latency anonymous communication networks, such as Tor, are geared towards web browsing, instant messaging, and other semi-interactive applications. To achieve acceptable quality of service, these systems attempt to preserve packet interarrival characteristics, such as inter-packet delay. Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections.
Previous research has shown that having access to a few Internet exchange points is enough for monitoring a significant percentage of the network paths from Tor nodes to destination servers. Although the capacity of current networks makes packetlevel monitoring at such a scale quite challenging, adversaries could potentially use less accurate but readily available traffic monitoring functionality, such as Cisco’s NetFlow, to mount largescale traffic analysis attacks.
In this paper, we assess the feasibility and effectiveness of practical traffic analysis attacks against the Tor network using NetFlow data. We present an active traffic analysis method based on deliberately perturbing the characteristics of user traffic at the server side, and observing a similar perturbation at the client side through statistical correlation. We evaluate the accuracy of our method using both in-lab testing, as well as data gathered from a public Tor relay serving hundreds of users. Our method revealed the actual sources of anonymous traffic with 100% accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4% for the real-world experiments, with an average false positive rate of 6.4%.