8

Here is a scheme for deanonymizing a user that I've been thinking about, just out of curiosity. I tried searching for it but didn't find much. Does this technique have a name? Are there any papers or articles on this? And is it known to be in use?

So a user posts a lot of information, on Twitter or on a Blog, etc.. He/she tries to be anonymous by using internet cafes, Tor, proxies, or any other method. The user's posts obviously don't have geotagging information, but they have precise timestamps.

Now, an attacker could introduce slight delays into all potential user's connections, of the order of milliseconds. They either do this with the cooperation of the ISPs (e.g. intelligence agencies), or by spamming the connections using botnets (e.g. criminals). The attacker would vary the delays by location and time. Then, looking at the timestamps of posts, there would be windows where a targeted user would be less likely to have successfully submitted a post. A simple example, if I imposed a delay of 2 seconds at 9:00, the user couldn't have posted at 9:01. In real life, the attacker would probably use tiny delays and a lot of posts, and use probabilistic methods to narrow down the target.

Ways to improve accuracy would be to get more precise data (getting the exact timestamps of posts by cooperating with the sites the user posts to), or by watching a real-time stream of data, e.g. VOIP, and correlating the delays with the imposed delays.

Now, thinking about it, you could possibly even do this passively, by measuring latency at a lot of points and correlating it with the timestamps of your target, but that makes it at lot harder.

So, would this work? Is this known to be used?

Martin Schröder
  • 259
  • 1
  • 2
  • 16
jdm
  • 941
  • 9
  • 11
  • PS: The tags are a bit poor. It would be nice if someone could suggest better ones. I tried `deanonymization`, but that didn't exist. `attacks` is also very unspecific, I'd prefer something like traffic analysis, "statistical" attacks, or "time correlation" attacks, although these are not really the right terms. – jdm Mar 28 '14 at 14:22
  • I don't follow how introducing delays is going to allow users to be uncovered, it's a bit unclear. – GdD Mar 28 '14 at 15:03
  • 1
    This would imply that you have the ability to selectively throttle **all internet connections worldwide**. When you have such a power over the network infrastructure, there are a lot more passive attacks you could perform, like simple traffic correlation (user always sends some encrypted data just before a tweet or blog post appears). – Philipp Mar 28 '14 at 15:52
  • @GdD: In the simplest case, you freeze 50% of all connections for a few seconds, and observe that the target sends data in that time window. You know they connected at *precisely* 9:35.0000 am, and you know you froze all connections from the east half of the country at that time, so he must be in the west. Then you repeat the scheme with 50% of the connections in the west. You continue with binary partitioning until you have localized your target. Now this would be pretty disruptive! So I suggest instead to just artificially increase the latency for a part of the net. You can then ... – jdm Mar 28 '14 at 15:52
  • ... either 1) measure the target's latency (if he uses VOIP etc.), and correlate it, or 2) calculate the likelihood that a packet gets through at 09:35.0001, 09:35.0002, and so on, and correlate that with their activity. Measuring long enough you should be able to pinpoint them. – jdm Mar 28 '14 at 15:54
  • @Phillip: I think it's entirely possible that an intelligence agency asks/orders the major ISPs in one country to make a few tweaks to their infrastructure, especially if these 1) seem to do nothing and 2) in times of secret FISA court orders. Also I can imagine this working on much smaller scale. Say you are an individual and your target works in one of two companies, and you want to figure out which one. You can't bring the companies connection down, but you can "DDOS" them on a very low level and observe your target's activity for weeks. Eventually you'll know where your target sits. – jdm Mar 28 '14 at 15:59

1 Answers1

10

This is a timing attack and the idea (including defenses against it) has been the subject of several academic papers. The short answer to your question of "will this work and has it been used?" is "yes". Some anonymity tools / networks (not sure if Tor does this) introduce their own latency and fake packets to make it harder (see "dependent link padding").

On the Effectiveness of Low Latency Anonymous Network in the Presence of Timing Attack

How Much Anonymity does Network Latency Leak?

Impact of Network Topology on Anonymity and Overhead in Low-Latency Anonymity Networks

forest
  • 64,616
  • 20
  • 206
  • 257
mcgyver5
  • 6,807
  • 2
  • 24
  • 45
  • 1
    Tor pads all packets to be the same size. Someone on one end of the connection could record packets passing by and try to link them to packets on the other end based on the time differenced but it's far from reliable. – user2675345 Mar 28 '14 at 16:22
  • This is called a watermarking attack, btw. – forest Jan 18 '18 at 21:28
  • I looked up watermarking attack and it seems to describe something different. [In cryptography, a watermarking attack is an attack on disk encryption methods where the presence of a specially crafted piece of data can be detected by an attacker without knowing the encryption key.](https://en.wikipedia.org/wiki/Watermarking_attack) – mcgyver5 Jan 19 '18 at 15:39