DefecTor Uses DNS Correlation Attacks to Identify Tor Users


Researchers from Princeton University, Karlstad University and KTH Royal Institute of Technology published a report detailing how adversaries can combine monitored DNS requests with known website fingerprinting attacks to create a new type of DNS-enhanced correlation attack to reveal Tor users and their website activity.

The Tor network relies on relays for anonymous browsing, or “nodes” that decrypts a layer of encryption traffic to reveal only the next relay in the circuit in order to pass the remaining encrypted data onto it. Exit relays is the last node that Tor traffic passes through before it reaches its destination by encrypting the innermost layer of encryption and sends the original data to its destination without unveiling the source IP address.

Dubbed DefecTor, the DNS-enhanced correlation attack improves the fingerprinting attacks through the attacker’s ability to observe DNS traffic from Tor exit relays. Using a DNS correlation attack, they can match packets that go into the network to packets that leave and link the source IP address to website activity. Mapping DNS traffic to websites proves as highly accurate even with using simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring websites with a low Alexa index. Researchers also discovered that Google DNS Servers accounted for almost 40% of all DNS requests exiting the Tor network.

“We find that DNS traffic traverses many networks that are entirely different than the networks that subsequent web traffic traverses,” said Philip Winters, one of the leading researchers. “This means that past research likely underestimated the threat of correlation attacks because there are entities on the Internet such as ISPs, autonomous systems, or Internet exchange points that can monitor some DNS traffic but not web traffic coming out of the Tor network and potentially use the DNS traffic to deanonymize Tor users.”

The researchers note that while adversaries can leverage DNS correlation attacks to compromise data, it is not an immediate cause for concern. Tor developers are already devising new ways to make website fingerprinting attacks more difficult to execute through requesting various types of padding from Tor relays. Malicious exit relays attempt to steal user credentials, but are often prevented through shipping with NoScript and HTTPs-Everywhere extensions. There are other actions that can be taken to prevent DefecTor attacks, such as Tor relay operators ensuring that the network maintains more diversity into how exit relays resolve DNS domains.

The researchers have made their code, data, and replication instructions available online.

Scroll to Top