Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: InfoSec Handlers Diary Blog - Hacking Tor, the anonymity onion routing network InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Hacking Tor, the anonymity onion routing network

Published: 2006-10-17
Last Updated: 2006-10-17 21:31:06 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
On October 4th one of our readers sent in a very worrying analysis of what appeared to be "traffic modification" (in his words) on the part of the Tor network.

The Tor ("The Onion Router") network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.

The key tenet of Tor is that it should protect anonymity and the reader's analysis pointed not only to traffic modification on the part of a so-called "exit router" (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).

Both William Salusky and myself looked into the data and it seemed to implicate packetstormsecurity.org,  an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the t.packetstormsecurity.org domain).  This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host.  As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.

Well, the moral of the story is that our reader, who sadly asked not to be named in the original e-mail, was dead right and a paper entitled "Practical Onion Hacking" by Andrew Christensen was released today on packetstormsecurity.org.

Our combined analysis had it almost entirely correct except that the DNS tunnel was not quite in Dan Kaminsky's "let's carry RealAudio over DNS" style but a simpler trackable DNS request and we had guessed at but not entirely understood the Shockwave flash trick.  All in all a pretty impressive paper, warmly recommended.

Finally a closing remark quoting from the actual paper for those who think Tor is "game over":

"Clearly Tor's designers have done a pretty good job: I couldn't find any weakness in Tor itself that violate the tenets set out at http://tor.eff.org/ (basically that end-to-end traffic analysis is always possible, but the traffic analysis should [be] difficult to everything but a global Echelon).  So instead, I attacked the data which Tor carries the most of: web traffic."


Keywords: hacks packetstorm Tor
0 comment(s)
Diary Archives