Tor network
Tor network

In a recently released research paper entitled ‘On the effectiveness of traffic analysis against anonymity networks using flow records', professor Sambuddah Chakravarty, from the Indraprastha Institute of Information Technology in Delhi, India, detailed how solutions such as Cisco's NetFlow could be used to mount attacks which could potentially identify users of Tor, the anonymising network which hides the user's IP address.

Running a test using a high-performance research server at the university, Chakravarty described how the attack was partly possible due to the low-latency design of Tor.

"To achieve acceptable quality of service, [Tor] systems attempt to preserve packet inter-arrival characteristics, such as inter-packet delay.

"Consequently, a powerful adversary can mount traffic analysis attacks by observing similar traffic patterns at various points of the network, linking together otherwise unrelated network connections," reads the paper.

"Although the capacity of current networks makes packet-level monitoring at such a scale quite challenging, adversaries could potentially use less accurate but readily available traffic monitoring functionality, such as Cisco's NetFlow, to mount large-scale traffic analysis attacks."

Chakravarty adds that the specific network analysis technique used in the research works by "identifying pattern similarities in the traffic flows entering and leaving the Tor network using statistical correlation".

The research team concluded that tests on a public Tor relay node showed that the technique was successful 80 percent of the time.

"Our method revealed the actual sources of anonymous traffic with 100 percent accuracy for the in-lab tests, and achieved an overall accuracy of about 81.4 percent for the real-world experiments, with an average false positive rate of 6.4 percent.”

However, the Tor Project responded late on Friday with leader Roger Dingledine issuing a statement that the group had long been aware of network analysis attacks – and has already put security measures in place.

"It's great to see more research on traffic correlation attacks, especially on attacks that don't need to see the whole flow on each side. But it's also important to realise that traffic correlation attacks are not a new area,” reads the blog post.

"The discussion of false positives is key to this new paper too: Sambuddho's paper mentions a false positive rate of six percent ... It's easy to see how at scale, this 'base rate fallacy' problem could make the attack effectively useless.

"I should also emphasise that whether this attack can be performed at all has to do with how much of the internet the adversary is able to measure or control.”

Gareth Owen, senior lecturer for the school of computing for the University of Portsmouth, agreed that these kinds of attacks are not new.

“Traffic correlation attacks against Tor have a very long history dating back more than a decade,” Owen told

“Research has consistently shown that they are powerful and effective at deanonymising users - the only difficulty is in deploying them, which Tor tries to make difficult although far from impossible.  This work examines netflows, traffic travelling through routers, rather than traffic travelling through a guard node to try and correlate traffic but it is unlikely the described attack is practical in its current form."

Chris Boyd, malware intelligence analyst at Malwarebytes, added in an email to SC that Tor will always be targeted, especially by those who oppose the activists using the service.

“If one thing has been proven time and again by researchers and the security industry, it's that there wherever there is a standard or benchmark for anonymisation, there is someone looking for a way to unmask the users,” he said. “With so many activists around the world using the Tor network, they're a ripe target for those opposed to their views.” 

“As with all things, there is no guarantee of 100 percent privacy regardless of the tools we use to secure ourselves - and while traffic correlation is not a new idea, that doesn't mean the possibility for being unmasked is something to be unconcerned about.”

This research comes just days after it was revealed (by F-Secure) that a rogue node in Tor was being used to launch cyber-espionage attacks on European governments using the notorious Duke malware. It also comes only weeks after US and European law enforcement combined to take-down a number of dark nets, including Silk Road 2.0.