From “Onion Not Found” to Guard Discovery

We present a novel web-based attack that identifies a Tor user’s guard in a matter of seconds. Our attack is low-cost, fast, and stealthy. It requires only a moderate amount of resources and can be deployed by website owners, third-party script providers, and malicious exits—if the website traffic i...

Descripción completa

Guardado en:
Detalles Bibliográficos
Autores principales: Oldenburg Lennart, Acar Gunes, Diaz Claudia
Formato: article
Lenguaje:EN
Publicado: Sciendo 2022
Materias:
tor
Acceso en línea:https://doaj.org/article/f739fe0bc24b4a4694f11dc6cdfa266d
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
id oai:doaj.org-article:f739fe0bc24b4a4694f11dc6cdfa266d
record_format dspace
spelling oai:doaj.org-article:f739fe0bc24b4a4694f11dc6cdfa266d2021-12-05T14:11:10ZFrom “Onion Not Found” to Guard Discovery2299-098410.2478/popets-2022-0026https://doaj.org/article/f739fe0bc24b4a4694f11dc6cdfa266d2022-01-01T00:00:00Zhttps://doi.org/10.2478/popets-2022-0026https://doaj.org/toc/2299-0984We present a novel web-based attack that identifies a Tor user’s guard in a matter of seconds. Our attack is low-cost, fast, and stealthy. It requires only a moderate amount of resources and can be deployed by website owners, third-party script providers, and malicious exits—if the website traffic is unencrypted. The attack works by injecting resources from non-existing onion service addresses into a webpage. Upon visiting the attack webpage with Tor Browser, the victim’s Tor client creates many circuits to look up the non-existing addresses. This allows middle relays controlled by the adversary to detect the distinctive traffic pattern of the “404 Not Found” lookups and identify the victim’s guard. We evaluate our attack with extensive simulations and live Tor network measurements, taking a range of victim machine, network, and geolocation configurations into account. We find that an adversary running a small number of HSDirs and providing 5 % of Tor’s relay bandwidth needs 12.06 seconds to identify the guards of 50 % of the victims, while it takes 22.01 seconds to discover 90 % of the victims’ guards. Finally, we evaluate a set of countermeasures against our attack including a defense that we develop based on a token bucket and the recently proposed Vanguards-lite defense in Tor.Oldenburg LennartAcar GunesDiaz ClaudiaSciendoarticletoranonymous communicationsguard discovery attackonion servicesweb-based attackEthicsBJ1-1725Electronic computers. Computer scienceQA75.5-76.95ENProceedings on Privacy Enhancing Technologies, Vol 2022, Iss 1, Pp 522-543 (2022)
institution DOAJ
collection DOAJ
language EN
topic tor
anonymous communications
guard discovery attack
onion services
web-based attack
Ethics
BJ1-1725
Electronic computers. Computer science
QA75.5-76.95
spellingShingle tor
anonymous communications
guard discovery attack
onion services
web-based attack
Ethics
BJ1-1725
Electronic computers. Computer science
QA75.5-76.95
Oldenburg Lennart
Acar Gunes
Diaz Claudia
From “Onion Not Found” to Guard Discovery
description We present a novel web-based attack that identifies a Tor user’s guard in a matter of seconds. Our attack is low-cost, fast, and stealthy. It requires only a moderate amount of resources and can be deployed by website owners, third-party script providers, and malicious exits—if the website traffic is unencrypted. The attack works by injecting resources from non-existing onion service addresses into a webpage. Upon visiting the attack webpage with Tor Browser, the victim’s Tor client creates many circuits to look up the non-existing addresses. This allows middle relays controlled by the adversary to detect the distinctive traffic pattern of the “404 Not Found” lookups and identify the victim’s guard. We evaluate our attack with extensive simulations and live Tor network measurements, taking a range of victim machine, network, and geolocation configurations into account. We find that an adversary running a small number of HSDirs and providing 5 % of Tor’s relay bandwidth needs 12.06 seconds to identify the guards of 50 % of the victims, while it takes 22.01 seconds to discover 90 % of the victims’ guards. Finally, we evaluate a set of countermeasures against our attack including a defense that we develop based on a token bucket and the recently proposed Vanguards-lite defense in Tor.
format article
author Oldenburg Lennart
Acar Gunes
Diaz Claudia
author_facet Oldenburg Lennart
Acar Gunes
Diaz Claudia
author_sort Oldenburg Lennart
title From “Onion Not Found” to Guard Discovery
title_short From “Onion Not Found” to Guard Discovery
title_full From “Onion Not Found” to Guard Discovery
title_fullStr From “Onion Not Found” to Guard Discovery
title_full_unstemmed From “Onion Not Found” to Guard Discovery
title_sort from “onion not found” to guard discovery
publisher Sciendo
publishDate 2022
url https://doaj.org/article/f739fe0bc24b4a4694f11dc6cdfa266d
work_keys_str_mv AT oldenburglennart fromonionnotfoundtoguarddiscovery
AT acargunes fromonionnotfoundtoguarddiscovery
AT diazclaudia fromonionnotfoundtoguarddiscovery
_version_ 1718371334368526336