Tor stinks

TOP SECRETIICOMINTII REL FVEY

Derived From: NSNCSSM 1-52Dated: 20070108

Declassify On: 20370101

JUN 2012

CT SIGDEV

Stin ks IU)


TOP SECRETIICOMINTII REl FVEY

• We will never be able to de-anonymize all Torusers all the time.

• With manual analysis we can de-anonymize avery small fraction of Tor users, however, nosuccess de-anonymizing a user in response to aTOPI request/on demand.

Tor Stinks... (U)



https://wiki.gchg/index.php ?title= REMA TION

• Joint NSAGCHQ counter-Tor workshop

• Week one at MHS focus on analytics

• Week two at GCHQ focus on exploitation

REM AT ION II (U)


,TOP SECRETIICOMINTII REL FVEY

- Baseline our nodes (21)- Tor node flooding

- Hidden services (4, 5, 6, 7)- Timing pattern (3)- Torservers.net/Amazon AWS

• Analytics to de-anonymize users· Exploitation- Circuit reconstruction (21) - QUANTUM attacks (1, 20, 22)

- Goes inta goes outta/low latency (2) - Existing options (8 + 11)- Cookie leakage - Shaping (9 + 16)- Dumb users (EPICFAIL) - Web server enabling (10)- Node Lifespan (17) - Nodes (14)- DNS - Degrade user experience (13 + 18)

• Technical Ana lysis/Research • Nodes

La u nd ry List (U)



• Current: access to very few nodes. Success rate negligiblebecause all three Tor nodes in the circuit have to be in the setof nodes we have access to.- Difficult to combine meaningfully with passive SIGINT.

• Goal: expand number of nodes we have access to- GCHQ runs Tor nodes under NEWTONS CRADLE(how many?)

- Other partners?

- Partial reconstruction (first hops or last hops)?

Internet site------...r

(5//51)

<!2 Torrelay node~®Torentry node

"4

Terrorist withTorclient installed

~

Analytics: Circuit ReconstructionTOP SECRETIICOMINTII REL FVEY

•TOP SECRETIICOMINTII REL FVEY

Analytics:Goes Inta Goes Outta/Low Latency (S//SI)

Find possible alternative accounts for a target: lookfor connections to Tor, from the target'ssuspected country, near time of target's activity.

• Current: GCHQhas working version (QUICKANT). Rhasalpha tested NSA' s version. NSA' s version produced noobvious candidate selectors.

• Goal: Figure out if QUICKANTworks, comparemethodologies. Gathering data for additional tests ofNSA' s version (consistent, random and heavy user)



Use cookies to identify Tor users when they arenot using Tor

• Current: preliminary analysis shows that some cookies"survive" Tor use. Depends on how target is using Tor(Torbutton/Tor Browser Bundle clears out cookies).

• Goal: test with cookies associated with CTtargets- Idea: what if we seeded cookies to a target?

- Investigate Evercookie persistence

Analytics: Cookie Leakage (TS//SI)


8TOP SECRETIICOMINTII REL FVEY

• DoubleclicklD seen on Tor and non-Tor IPs

Analytics: Cookie Leakage (TS//SI)



• Current: GCHQ has working QFD based onhard selector (email, web forum, etc) but doesnot include cookies.

• Goal: NSA investigating own version (GREATEXPECTATIONS)that would include cookies.

GCHQ QFD that looks for Tor users when theyare not using Tor.

Analytics: Dumb Users (EPICFAIL) (5//51)


oTOP SECRETIICOMINTII REL FVEY

• Current: detection done once an hour by NTOC.RONIN stores "last seen" and nodes age offslowly with no accurate lifespan.

• Goal: Working with RONIN to add more detailson node lifespan.

How do I know WHEN a particular IP was a Tornode as opposed to IF it was a Tor node?

Analytics: Node Lifespan (5//51)


TOP SECRETIfCOMINTII REl FVEY

How does Tor handle DNSrequests? Are DNSrequests going through Tor? Does this dependon how the target is using Tor?

• Current: Still investigating.

Analytics: DNS (TS//SI)



What do we know about Hidden Services?• Current: No effort by NSA, some DSD and

GCHQ work on ONIONBREATH.

• Goa I:- Harvest and enumerate .onion URLs

- Identify similar HSbased on referrer fields- Distinguish HSfrom normal Tor clients

Technical Analysis: Hidden Services(TSI lSI)



• Current: GCHQ has research paper anddemonstrated capability in the lab.

• Goal: Can we expand to other owned nodes?

Send packets back to the client that aredetectable by passive accesses to find clientIPsfor Tor users.

Technical Analysis: Timing Pattern(TSI lSI)


Investigate the Amazon AWS cloud instances ofTor servers. How are IPs allocated andreassigned once bandwidth limit is reached?Impact on RONIN' s ability to detect nodes?

• 'Current: GCHQ set up Tor nodes on th,e AWScloud durin REMATION II.

Technical Analysis: torservers.net ITS!!51)

TOP SECRETIICOMINTII R,EL FVEY


Figure 4:A diagram of how the QUANTUM Survey/ Cookie rechnique works

Yahoo II"the: de..- GL Rcq:,tcs\toYahOO.(""' ... '" Y-Cookl.I

Qf\'Cw"tahool C.grrc=;QndlnJ:I Cook;..!!ft4lI he ~fttff rlored on II '1'Ied ent'l bt~e( IL _

lIotm~,1

EncI'YPt.dGET ~<rql,l.t:~ toYahl)(l.con't~th v.coot.

To. Cliero.(ftJr",.'Iht-IC,.b,~e,.bll"cllr )

,-------------------------------------------------.I STAGE 2 ",thtcl..,c;.:,o.q'''tto I

fOClVPtE'dGlTAeClUf:stto ~com vmh MlMOH~( ...... ahMUlO _ _ ~ I

I

III_------------------------------------------------~

we de__ttcr1l-u:Gel rc:quto andTor CJ'M1t

l,,,,,,r.lff: ~'i TlOrbrO'Wn~rb",,,d ~ )

www lr'lIorl~l.(om

-------------------------------------------------~: STAGE 1 ....h. d•• Cia••que,,,.I EncrypttdGin hQ,ut:1tD 'Y\wt~fT'Orht..co..,_...lbomb phpI ..,IV,", tt rt"Of Sf C.Cl'I"lfb,ori) pho. - -- --

I

• QUANTUMCOOKIE - forces clients to divulgestored cookies.

• QUANTUM to degrade/deny/disrupt Tor access?

(TS//SI)Exploitation: QUANTUM


•TOP SECRETIfCOMINTII REl FVEY

Test current CNEtechniques (FA and SHORTSHEET)against Torbutton and TBB users.

• Current: Torbutton and TBB prevent CNEsuccess.Possible success against "vanilla" Tor/Vidalia.

• Goal: modifications to initial CNEsurveys? Ignoreuser-agents from Torbutton or TBB? Improvebrowser fingerprinting? Using javascript insteadof Flash?

Exploitation: Existing Options (TS//SI)



• Current: Can stain user agent working on shaping.

• Given CNEaccess to a target computer can weshape their traffic to "friendly" exit nodes?

• Route users to a separate "private" Tor network?• Stain their traffic or user agent?• Instruct target computer to use a service thatconnects outside Tor and reveal true IP?

Exploitation: Shaping (TS//SI)



Given CNEaccess to web server modify the serverto enable a "timing/counting" attack similar totiming pattern idea.

• Current: GCHQhas a research paper anddemonstrated the technique in the lab.

Exploitation: Web Server Enabling(TS/ /SI)


•TOP SECRETIICOMINTII REL FVEY

Can we exploit nodes?Probably not. Legal and technical challenges.

Exploitation: Nodes (TS//SI)


oTOP SECRETIICOMINTII REL FVEY

Given CNEaccess to a network can we deny/degrade/disrupt Tor users' ?

Given CNEaccess to a web server make itpainful for Tor users?

Exploitation: Degrade Tor experience(TS/ /SI)



How many nodes do we have cooperative ordirect access to? Canwe deploy similar codeto these nodes to aid with circuitreconstruction?

Canwe do packet timing attacks using nodes?Canwe use the nodes to shape traffic flow?Canwe use the nodes to deny/degrade/disruptcomms to certain sites?

Nodes: Baseline Our Nodes (TS//SI)



Could we set up a lot of really slow Tor nodes(advertised as high bandwidth) to degrade theoverall stability of the network?

Nodes: Tor Node Flooding (TS//SI)



• Critical mass of targets use Tor. Scaring themaway from Tor might be counterproductive.

• We can increase our success rate and providemore client IPsfor individual Tor users.

• Will never get 100% but we don't need toprovide true IPsfor every target every timethey use Tor.

(5//51)

Tor Stinks ... But it Could be WorseTOP SECRETIICOMINTII REL FVEY

Tor stinks

Education

Transcript of Tor stinks