Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center Diary 2006-10-17 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Hacking Tor, the anonymity onion routing network

Published: 2006-10-17
Last Updated: 2006-10-17 21:31:06 UTC
by Arrigo Triulzi (Version: 1)
0 comment(s)
On October 4th one of our readers sent in a very worrying analysis of what appeared to be "traffic modification" (in his words) on the part of the Tor network.

The Tor ("The Onion Router") network is an anonymizing peer-to-peer network of routers on the Internet which uses various techniques to bounce traffic around the Internet in such a way that traffic analysis becomes difficult if not impossible to perform. Tor is a perfect example of a dual-use technology: it can be used to avoid government-imposed Internet censorship or to protect the identity of a corporate whistleblower but at the same time it is sadly ideal for various nefarious uses.

The key tenet of Tor is that it should protect anonymity and the reader's analysis pointed not only to traffic modification on the part of a so-called "exit router" (the last hop in a Tor circuit before your packets reach the real destination) but also an attempt at tracking the true origin of the traffic (in a Tor network a hop only knows that the traffic comes from a previous hop but no futher back).

Both William Salusky and myself looked into the data and it seemed to implicate,  an exit router in Denmark and, more curiously, a DNS tunnel to transmit data out (via obviously fake hosts under the domain).  This last item was interesting because it replicated data which was apparently being submitted to the host via an HTTP cookie so it seemed that the idea was to have the cookie travel to the unwitting Tor user and be sent back via DNS tunnel to an external host to confirm the real identity of the host.  As both of us were busy we looked a little deeper but ultimately we recommended that the reader report this to the Tor authors.

Well, the moral of the story is that our reader, who sadly asked not to be named in the original e-mail, was dead right and a paper entitled "Practical Onion Hacking" by Andrew Christensen was released today on

Our combined analysis had it almost entirely correct except that the DNS tunnel was not quite in Dan Kaminsky's "let's carry RealAudio over DNS" style but a simpler trackable DNS request and we had guessed at but not entirely understood the Shockwave flash trick.  All in all a pretty impressive paper, warmly recommended.

Finally a closing remark quoting from the actual paper for those who think Tor is "game over":

"Clearly Tor's designers have done a pretty good job: I couldn't find any weakness in Tor itself that violate the tenets set out at (basically that end-to-end traffic analysis is always possible, but the traffic analysis should [be] difficult to everything but a global Echelon).  So instead, I attacked the data which Tor carries the most of: web traffic."

Keywords: hacks packetstorm Tor
0 comment(s)

NetSol Worldnic DNS server issues

Published: 2006-10-17
Last Updated: 2006-10-17 18:15:17 UTC
by Jim Clausing (Version: 1)
0 comment(s)
As several of our readers have pointed out to us, it is Network Solutions' turn to have DNS problems.  A number of their servers seem to be having intermittent issues.
0 comment(s)

Bellsouth.(net|com) troubles

Published: 2006-10-17
Last Updated: 2006-10-17 18:12:21 UTC
by Joel Esler (Version: 2)
0 comment(s)
Update:  As of about 16:00 UTC, the Bellsouth DNS server issue appears to have cleared.

We've received several reports telling us that Bellsouth.(net|com)'s services are down.  This seems to be not only affecting their DNS servers, but it also is affecting their Managed Services, email, hosted email, and who knows what else.

It does not appear to be affecting their managed internet services.

Thanks to the many readers who wrote in and let us know.
0 comment(s)
Diary Archives