Professional Documents
Culture Documents
com/world/interactive/2013/oct/04/tor-high-secure-
internet-anonymity
https://en.wikipedia.org/wiki/Tor_(anonymity_network)#:~:text=Tor%20is
%20free%20and%20open,network%20surveillance%20or%20traffic
%20analysis.
https://www.incibe-cert.es/en/blog/tor-hs-deanonymization
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
Tor is free and open-source software for enabling anonymous communication by directing
Internet traffic through a free, worldwide, volunteer overlay network consisting of more than
seven thousand relays[5] in order to conceal a user's location and usage from anyone
conducting network surveillance or traffic analysis. Onion routing is implemented by encryption in
the application layer of a communication protocol stack, nested like the layers of an onion. Tor
encrypts the data, including the next node destination IP address, multiple times and sends it
through a virtual circuit comprising successive, random-selection Tor relays. Each relay decrypts
a layer of encryption to reveal the next relay in the circuit to pass the remaining encrypted data
on to it. The final relay decrypts the innermost layer of encryption and sends the original data to
its destination without revealing or knowing the source IP address. An onion is a data structure
that is treated as the destination address by onion routers; thus, it is used to establish an
anonymous connection. Because the routing of the communication was partly concealed at every
hop in the Tor circuit, this method eliminates any single point at which the communicating peers
can be determined through network surveillance that relies upon knowing its source and
destination. Tor is also known as the King of high secure, low latency internet anonymity.
A hidden service (HS from now on) publishes "contact information" (information known as hidden
service descriptor) on a database distributed on the Tor network. Subsequently, any client that
wants to use the service, gains access to the database and uses that information to contact with
the HS through a meeting points (rendezvous) where both of them (client and HS) establish a
Tor circuit, to avoid being traced. The final result is a connection as shown in the following
graphic:
An important Tor network concept in these attacks is that of nodes known as entry guards. These
are special nodes, that the clients and hidden services choose (and rotate periodically) to access
the Tor network. Therefore the entry guards are the only nodes that have access to real IPs of
those accessing Tor. Coming up, assume that an attacker wants to obtain the real IP address
(123.124.125.126) from a hidden service with an xyz.onion address. One of the attacks exposed
in the mentioned article is as follows:
1. A node controlled by the attacker is selected as an entry guard on behalf of the xyz.onion
hidden service.
2. The client (attacker) establishes a connection with xyz.onion.
o As the attacker is who establishes the connection, he can decide a rendezvous
node that he controls.
o This connection is associated to a cookie created by the client (attacker) and is
also transmitted to the hidden service, which uses the rendezvous node to
distinguish between connections.
3. When the service in xyz.onion connects with the malicious rendezvous point:
o The rendezvous node can associate this connection initiated by xyz.onion with
the connection started by itself, as it contains the same cookie.
o The rendezvous node sends anomalous traffic (researchers suggest sending 50
packages of a specific type) towards xyz.onion, followed by a petition to close the
connection.
4. Finally, the entry guard controlled by the attacker associates the received connection
from 123.124.125.126 with the rendezvous node connection with the xyz.onion service,
if:
o The entry guard receives a petition to shut down the connection after the
rendezvous node receives the xyz.onion connection with the cookie created by
the attacker.
o The number of packages received by the entry guard corresponds with the
pattern of 50 packages sent by the rendezvous.
In other words, following this process, the attacker can associate the 123.124.125.126 IP
address with the xyz.onion hidden service.
The following scheme graphically represents the attack.