Onion Spoofing: a Novel Technique for Observing Exit Node Traffic for Correlation Attacks

Abstract

Tor is a tool that is used by 2,000,000 users every day for anonymous internet activity like anonymous web browsing. But, Tor’s suitability for web browsing is not only a cause for its popularity it is also a cause of its biggest weakness. Because Tor is fast enough for web browsing, it is vulnerable to traffic correlation. Traffic correlation is an attack on anonymity where an attacker observing both ends of a victim’s Tor connection can determine that both of these ends are “correlated”, thus revealing who the victim is communicating with. This revelation makes the victim’s communication no longer anonymous. Past research has shown that Tor nodes, Autonomous Systems (AS), and Internet Exchange Points (IXPs) can perform correlation attacks. In this paper we introduce “Onion Spoofing” an attack that uses DNS spoofing to intercept and observe traffic sent out of Tor by exit nodes. We then describe our implementation of Onion Spoofing and how we used it to perform correlation attacks to deanonymize Tor users in experimental settings. After this description, we share measurements we took of the Tor Network. These show that 91% of Tor exits are vulnerable to Onion Spoofing. We also found that 31% of Tor connections at any given time vulnerable to Onion Spoofing by Google. After demonstrating that Onion Spoofing is a threat to anonymity, we suggest mitigations and make recommendations for future work to improve Onion Spoofing.