Research: How to secure the Tor network against correlation attacks
Traffic flow correlation represents one of the most commonly used techniques in a variety of deanonymization attacks against users of the Tor network. An attacker who can monitor network traffic on both ends of a communication channel can successfully launch an end-to-end correlation attack. These attacks rely on using statistical correlation methods to identify if a traffic stream originating from a user is the exact same traffic stream reaching the connection destination observed by the attacker. As such, these attacks are also sometimes referred to as traffic confirmation attacks.
Correlation attacks are considerably difficult to mitigate in onion routing anonymity networks such as Tor. It is for this reason the Tor project reported in a blog post that the protocol is not designed to protect against these forms of attacks. Moreover, many research studies have shown that correlation attacks represent a serious threat to users of the Tor network.
A recently published research paper proposes solutions that can render correlation attacks against Tor users much more difficult to launch. Throughout this article, we will overview the countermeasures proposed via this paper to counteract correlation attacks.
Countermeasures that can be implemented by Tor users:
There are multiple means via which an ordinary Tor user can counteract an end-to-end correlation attack. These include:
a- Tampering with the correlation of two traffic streams:
To prevent an adversary from launching a successful correlation attack, a user can try to disrupt the correlation of two traffic streams.
The first step that can be done is utilizing the fact that the Tor protocol does not split outgoing connections to different destinations into multiple streams. Accordingly, a dummy traffic disrupting the original pattern of communication can reduce the correlation. It is considerably difficult for an attacker to distinguish the dummy traffic from the communication stream with the destination server. Nevertheless, if the attacker has control over the entry node, the user has to ensure that the dummy traffic flow follows the stream of communication flowing to the next node within the circuit, or else the entry node would be able to distinguish the dummy traffic from the targeted traffic.
Another way to protect against such attacks is to use busy nodes. Previous research studies have shown that incorporating busy nodes into a Tor circuit reduces the probability of launching a successful correlation attack and requires the attacker to dedicate more computing power to successfully launch the attack.
b- Preventing the adversary from getting into the right position:
A Tor user can implement several measures to prevent the attacker from acquiring an ideal position to correlate traffic streams, rendering eavesdropping more difficult to accomplish.
To reduce the probability of connecting to a malicious exit node for a significant period, a user should frequently switch the circuit. A user should only pick more trusted relay nodes to route their network traffic, yet this increases potential risks provided that one of these nodes gets corrupted.
An adversary who seeks to increase the effectiveness of correlation attacks usually targets the entry relay node. Thereafter, they can successfully deanonymize a client connecting to the associated Tor circuit. As such, connecting to Tor via means of a proxy can deter such attacks as the adversary cannot easily determine that the user is connecting to Tor via means of a proxy.
Countermeasures implemented by Tor developers:
Although Tor clearly states that it does not offer protection against end-to-end correlation attacks, it can implement several features that can counteract these attacks.
a- Incorporating dummy traffic into the Tor protocol:
Tor developers could incorporate dummy traffic into the network’s protocol. Onion proxies could be programmed to generate dummy traffic automatically. The extra traffic between a user and an entry node in a Tor circuit could reduce the correlation that an adversary would compute via two traffic streams. Nevertheless, on a small scale the additional dummy traffic may occasionally not be efficient, and on a bigger scale it can considerably reduce the speed of the connection.
Another modification that could be implemented onto the Tor protocol is a minimal random latent time added to each data packet within the Tor network. It could render the correlation attacks less effective, but this modification may not be as effective using just small delays. On the other hand, using longer packet delays can undermine one of Tor’s main goals, the low latency.
Adaptive padding or defensive packet dropping are methods that have been proposed in previous studies in order to help shield Tor’s users against end-to-end correlation attacks.
b- Preventing the adversary from getting into the right position:
If a Tor client maintains the same entry node for nine months, this was proven to reduce the chances of multiple traffic analysis attack patterns, namely end-to-end correlation attacks.
According to information published by the Tor project, the protocol switches Tor circuits to prevent a user from routing traffic through a potentially corrupt node for a long period. The onion proxy uses a single Tor circuit for ten minutes before shifting to a different one. Nevertheless, Tor does not generate multiple circuits for a single TCP stream, yet it waits until the traffic stream ends and shifts to a new Tor circuit immediately after that.
Nevertheless, any form of extra traffic or extra delay of data packets that Tor would add to its network can compromise its original goals which rendered this anonymity network extremely popular. Finally, maybe the best defense against correlation attacks is Tor’s popularity itself. The fact that the Tor network is comprised of thousands of relay nodes and millions of connected users, greatly boosts its overall security. The ability to route network traffic over various continents can help protect even against attacks launched by AS-level adversaries. Moreover, the volume of traffic which is routed throughout the network renders it more difficult for a potential adversary to identify the correct stream.
Traffic correlation attacks represent one of the most serious threats that can undermine the anonymity of Tor users. Even though Tor is not designed to deter such attacks, users can adopt multiple strategies that can reduce their effectiveness. Moreover, Tor developers can add a myriad of features to the protocol that can greatly reduce the threats of end-to-end correlation attacks.