1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How DNS Can Be Used To Unmask TOR Users

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Oct 3, 2016.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Joined:
    Apr 2, 2008
    Messages:
    873
    Likes Received:
    3,293
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    be careful if you rely on the tor system... :eek:


    Researchers have found a way to use DNS traffic monitoring to deanonymize TOR users based on TOR exit relay usage.

    Researchers from Karlstad University, Princeton University and the KTH Royal Institute of Technology have devised a way to leverage DNS traffic records to create a new kind of attack designed to unmask users of the Tor network.

    With almost two million daily users, Tor, also known as the onion router, is a network made up of relays and nodes which help mask users and their IP addresses.

    Ran by the non-profit Tor Project, Tor is used by activists, journalists and the privacy-conscious worldwide, as well as a small slice of users who use it to access Dark Web services and for illegal activity.

    The domain name system (DNS) maps domains into machine-readable IP addresses, allowing users to access websites through human-readable names rather than strings of numbers.

    This system is a fundamental building block of the web, and it also appears to be a system that can be leveraged to track Tor users.

    According to the research team, it is possible to combine the monitoring of DNS requests with well-known fingerprinting techniques to create a new type of "DNS-enhanced website fingerprinting attack."

    The researchers said:

    "The Tor Project is upfront about its limitations. [..] It is well understood that low-latency anonymity networks such as TOR cannot protect against so-called global passive adversaries.

    We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network. Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client's identity to her activity, and thus, break anonymity."

    Fingerprinting is one such way to break the anonymity TOR offers. These kinds of passive attacks use weaknesses in the TOR network to watch and wait for hidden services to be accessed before potentially uncovering not only the user's true IP address but the physical location of servers in some cases.

    http://www.zdnet.com/article/how-dns-can-be-used-to-unmask-tor-users/
     
  2. JustUs

    JustUs Power Member

    Joined:
    May 6, 2012
    Messages:
    626
    Likes Received:
    582
    Some times this is so funny. Not so long ago, when I logged into my Google mail account to check on the progress of my Google Fiber internet installation, I would receive a notification that a new browser accessed the account. When it became annoying, I sent email to the quality department that they should stop notifying me about newly fingerprinted browsers accessing my account because I spoof my browser and it may come up as anything. Google no longer notifies me.