Best Security Search
Security News

DefecTor Attack Can Reveal TOR Sources

Researchers have discovered an attack method called DefecTor that can be used to deanonymize TOR traffic.

DefecTor uses DNS fingerprint attacks can pose a threat to TOR

The popular anonymous network TOR has been widely used by privacy-minded users and criminals to browse the Internet avoiding censorship and accessing the Dark Web, the shadier network used by computer criminals. Recently a large-scale research focused on revealing weaknesses in the TOR network has been under way by scientists.

A flaw has been identified in the way the network runs. According to the research notes the DNS requests from the TOR exit relays at times hold an interesting trait – most of them use Google’s public DNS servers and at times the figures account for 40% of all exit node traffic.

This creates a scenario for a DNS fingerprinting attack that can be used to deanonymize the service. This means that Google can potentially sabotage or gain valuable insight into the TOR users and the traffic sources. This security threat also includes large-scale Internet Providers and even governments.

The researchers have developed a method that identifies the DNS resolver of Tor exit relays and a set of correlation attacks (DefecTor attacks) that use the DNS traffic to improve the precision. Criminals can use these types of attack to determine the websites that the TOR user is visiting. This is very efficient, especially with less popular sites where the DNS names can be unique to the host site. The team has also used the Tor path Simulator with traceroute internet data from exit points to determine how this can be used in practice.

The research is posted online in several papers, as well as with a technical brief that explains how the attack can be replicated by any interested party.

Also the team has developed a tool called “DNS Delegation Path Traceroute” which determines the DNS delegation path for a given domain name and the runs UDP traceroutes to all DNS servers on the path. They are then compared to a TCP traceroute to the web server.

For more detailed information you can visit the team’s research site.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.