Professor outlines Tor attack methods


News image

Prof Bill Buchanan has outlined the Tor exploit from researchers at Carnegie Mellon’s Software Engineer Institute (SEI) in his blog. Some details are:

The opposing sides

As we move into an Information Age, there is a continual battle on the Internet between those who would like to track user activities, to those who believe in anonymity. The recent Right to be forgotten debate has shown that very little can be hidden on the Internet, and deleting these traces can be difficult.

To defence agencies the access to Internet-based information can provide a rich source of data for the detection and investigation of crime, but they have struggled against the Tor (The Onion Network) network for over a decade. Its usage has been highlighted over the years, such as when, in June 2013, Edward Snowden, used it to send information on PRISM to the Washington Post and The Guardian. This has prompted many government agencies around the World to prompt their best researchers to target cracking it, such as recently with the Russian government offering $111,000. At the core of Tor is its Onion Routing, which uses subscriber computers to route data packets over the Internet, rather than use publically available routers.

The battle of the Gods

With the right to be anonymous at its core, the Tor project created a network architecture which anonymized both the source of network and the identity of users. With some many defence agencies around the World targeting Tor, the cracks have been starting to be exposed, in the same way that there has been on the targeting of OpenSSL and TrueCrypt. For this researchers identified an underlying flaw in Tor’s network design, and which has led the Tor Project has warned that an attack on the anonymity network could have revealed user identities.

This message was in response to the work of two researchers from Carnegie Mellon University (Alexander Volynkin and Michael McCord) who exploited the infrastructure. At present SEI has a Defense Department until June 2015, and is worth over $110 million a year, with a special target on finding security vulnerabilities.

Overall the attacks ran from January 2014, and were finally detected and stopped on 4 July 2014. In response to the vulnerability being found the Tor team, in a similar way to the OpenSSL Heartbleed announcement, where informed that the researchers were to give a talk at the Black Hat hacker conference in Las Vegas. The sensitives around the area is highlight by the fact that the talk was cancelled, due to neither the university nor SEI (Software Engineering Institute) approving the talk. The Tor project, through Roger Dingledine blog entry on 4 July 2014, revealed that identities could have been revealed over the period of the research.

The research team, used two methods of exploitionation:

  • Traffic confirmation attack. This involves adding rogue relays to Tor, so that they can be used for the routing process. If there is just a few nodes, the routes cannot be determined, but if operated over a longer time period, it may have been possible to uncover some of the full path details of the accesses. This is similar to infecting a secret network with spies, and over time adding more spies, so that eventually, the spies become more trusted, and it is thus possible for a route to contain all the spying agents, and thus determine the complete route of a secret message.
  • Sybil attack.  This involved an attempt to block of up 115 relays of the guard relays. As these account for around 6.4% of Tor’s guard capacity, it is likely that a considerable number of user traffic was involved.


The Web traces a wide range of information, including user details from cookies, IP addresses, and even user behaviour (with user fingerprints). This information be used to target marketing to users, and also is a rich seem of information for the detection and investigation of crime. The Tor network has long been a target of defence and law enforcement agencies, as it protects user identity and their source location, and is typically known as the dark web, as it is not accessible to key search engines such as Google. With the Tor network, the routing is done using computers of volunteers around the world to route the traffic around the Internet, and with ever hop the chances to tracing the original source becomes reduces. In fact, it is rather like a pass-the-parcel game, where game players randomly pass to others, but where eventually the destination receiver will eventually receive the parcel. As no-one has marked the parcel on its route, it’s almost impossible to find out the route that the parcel took.

The trace of users access Web servers is thus confused with non-traceable accesses. This has caused a range of defence agencies, including the NCA and GCHQ to invest methods of compromising the infrastructure, especially to uncover the dark web. A strange feature in the history of Tor is that it was originally sponsored by the U.S. Naval Research Laboratory (which had been involved in onion routing), and its first version appeared in 2002, and was presented to the work by Roger Dingledine, Nick Mathewson, and Paul Syverson, who have since been named, in 2012, as one of Top 100 Global Thinkers. It since received funding from Electronic Frontier Foundation, and is now developed by The Tor Project, which is a non-profit making organisation.

Thus, as with the Rights to remain private, there are some fundamental questions that remain, and it a target for many government around the World. In 2011, it was awarded the Free Software Foundation’s 2010 Award for Projects of Social Benefit for:

"Using free software, Tor has enabled roughly 36 million people around the world to experience freedom of access and expression on the Internet while keeping them in control of their privacy and anonymity. Its network has proved pivotal in dissident movements in both Iran and more recently Egypt."


The latest target compromised things for a while, but once detected, it has managed to heal itself, but it is a major target, along with cracking cryptography. For those in defence agencies the question remains “Why do you want to keep things secret … do you have something to hide?”, which is a pretty fundamental question. At the current time, the Tor team have managed to fix the cracks, but with such a concerted probing around the World, you must wonder if they have the resources to cope with the probes. With OpenSSL, the Heartbleed bug had been uncovered for many years, so there will be weaknesses, it’s just that they haven’t been found yet. The recent tail of the TrueCrypt developers bailing of their project, leaves many questions around the maintenance of Open Source security software.

In defence, the Tor project is setting up a special group to monitor for malicious relays, and also to detect any compromises on the system. So, it’s one blow, but Tor has stood up to it, and came out fighting, and it is the research team who have been pin-pointed as the possibly stepping over the mark.

[Read More]

Associated people

William Buchanan
Director of CDCS
+44 131 455 2759
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.