Not anonymous: attack reveals BitTorrent users on Tor network

Think that anonymizing BitTorrent tracker connections through Tor makes you harder to track? Think again. A vulnerability was used to identify over 10,000 users' IP addresses via their BitTorrent tracker connections. But it's not just your BitTorrent downloads that are at risk: an attacker can use your BitTorrent connections to de-anonymize other, more secure applications run over Tor.


In a paper released a few weeks ago at the USENIX conference's workshop on Large-scale Exploits and Emergent Threats (LEET), researchers from INRIA France revealed a class of vulnerabilities in the Tor system which threatens the anonymity of many BitTorrent users. The research team, led by Stevens Le Blond, explained an attack methodology which it developed and deployed. The attack exploits a feature of Tor originally introduced to improve anonymity and efficiency, but it also relies on certain aspects of the BitTorrent protocol.

Tor is a system for protecting online anonymity that works by forwarding TCP traffic over a low-latency "onion-routing" network of nodes maintained by volunteers. Tor establishes circuits of three nodes to pass traffic across; the actual operation is quite complex, but it's explained lucidly on the Tor Project website. The end result is that connections are slower but more secure than they would otherwise be, and a user's original IP address is obscured.
One Tor efficiency and anonymity feature involves multiplexing many different TCP streams over the same circuit. This improves efficiency, because it takes a lot of computationally intensive public-key encryption work to set up a circuit, but established circuits are not computationally taxing to use. In addition, there's a privacy benefit, because reusing circuits reduces the total number of nodes used, and therefore reduces the risk of coming into contact with a "hostile" node (one set up, for instance, by a government trying to peek at the Tor traffic of dissidents or mobsters).

Most modern BitTorrent clients allow users to specify a detailed selection of proxy settings. Many BitTorrent users crave anonymity, but the BitTorrent data transfer protocol does not perform well over Tor, making downloads prohibitively slow. However, a common compromise finds users sending the low-bandwidth initial connections to BitTorrent trackers over Tor, while leaving the bulk data traffic to the actual peers unprotected. This prevents the tracker from recording the true IP address of the user, which is a valuable first step against unwanted observation.

Malicious nodes and honeypots

To execute an attack on this system, the French researchers set up a number of malicious Tor exit nodes and some honeypot BitTorrent clients running on researcher machines. When one of the malicious exit nodes sees an attempted connection to a BitTorrent tracker, it intercepts the response and adds the IP address of one of the honeypot clients under researcher control. The user's BitTorrent client then attempts to make a data connection directly to the honeypot without using Tor, thus revealing the user's IP address to the honeypot.

A similar attack is used to identify users connecting via DHT, so even users who try to forward all of their BitTorrent traffic over Tor are not safe. The DHT version of the attack relies on the fact that Tor is only compatible with TCP, while BitTorrent's DHT uses the less-common UDP protocol, forcing some of the traffic to be sent in the clear. Information such as client ID and listening port help the honeypot to determine which incoming connections come from which users.

At this point in the attack, the researchers have identified a particular Tor circuit on one of their exit nodes, and they've associated it with a particular IP address. They can now be sure that any other traffic sent over that circuit comes from the same user. But the attack doesn't stop at this exit node; because the user can now be reliably identified based on the information transmitted to the tracker, the attacker can identify the user's connections made on other circuits, through other malicious exit nodes, if those circuits also carry identifiable BitTorrent requests.

Because Tor multiplexes many different TCP streams over the same circuit, streams from a variety of applications may be bundled together. This could include traffic from applications where anonymity is more crucial, like a user's Web browser or IM client. The fact that the user is running a BitTorrent client partially or fully over Tor means that his otherwise-anonymous communications can now be reliably identified across all the attacker's malicious nodes.
Commenting on the attack, Roger Dingledine, leader of the Tor Project, praised the INRIA researchers for identifying this vulnerability, but criticized them for actually executing the attack on 10,000 users. Dingledine suggested that the researchers crossed an ethical line by placing the anonymity of these users in jeopardy, and that this step was unnecessary, done for the purpose of publicity.

Protection

This vulnerability may be nerve-wracking for some users who rely upon Tor to protect themselves when using a variety of applications. In a blog post responding to a prior version of this research, Dingledine advised that users can protect themselves right now if they stop using BitTorrent over Tor. This is a step that the Tor Project generally recommends, since BitTorrent traffic is antisocial on the Tor network, subjecting the entire network to significant load (and it's quite slow for the user).

Running one instance of Tor for BitTorrent, and a separate instance for all other applications, will provide an effective defense for non-BitTorrent traffic, but it still leaves your BitTorrent traffic vulnerable to deanonymization. The Tor project has a design proposal to more effectively fix this class of attacks by using various methods to separate TCP streams. However, the best way to separate and bundle different traffic over anonymity networks remains an open research question.

Users interested in anonymous download solutions should consider OneSwarm, a University of Washington project to design a BitTorrent client with anonymity and privacy built in. More advanced users may wish to investigate I2P, an onion-routing network which was designed to handle BitTorrent traffic from the start. In addition, uTorrent features an advanced array of proxy settings, some of which may mitigate parts of this attack, although their effectiveness has not been independently verified.