Spying in the Dark: TCP and Tor Traffic Analysis

  • Yossi Gilad
  • Amir Herzberg
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7384)


We show how to exploit side-channels to identify clients without eavesdropping on the communication to the server, and without relying on known, distinguishable traffic patterns. We present different attacks, utilizing different side-channels, for two scenarios: a fully off-path attack detecting TCP connections, and an attack detecting Tor connections by eavesdropping only on the clients.

Our attacks exploit three types of side channels: globally-incrementing IP identifiers, used by some operating systems, e.g., in Windows; packet processing delays, which depend on TCP state; and bogus-congestion events, causing impact on TCP’s throughput (via TCP’s congestion control mechanism). Our attacks can (optionally) also benefit from sequential port allocation, e.g., deployed in Windows and Linux. The attacks are practical - we present results of experiments for all attacks in different network environments and scenarios. We also present countermeasures for these attacks.


Side Channel Congestion Window Transport Layer Security Attack Duration Port Test 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Tor Metrics Portal. Network and Usage Graphs (November 2011),
  2. 2.
    Advanced Network Architecture Group. ANA Spoofer Project (2012),
  3. 3.
    Allman, M., Paxson, V., Blanton, E.: TCP Congestion Control. RFC 5681 (Draft Standard) (September 2009)Google Scholar
  4. 4.
    Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice) (March 2004)Google Scholar
  5. 5.
    Bellovin, S.M.: A Technique for Counting Natted Hosts. In: Internet Measurement Workshop, pp. 267–272. ACM (2002)Google Scholar
  6. 6.
    Chakravarty, S., Stavrou, A., Keromytis, A.D.: Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 249–267. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  7. 7.
    Danezis, G.: The Traffic Analysis of Continuous-Time Mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  8. 8.
    Deering, S., Hinden, R.: Internet Protocol, Version 6 (IPv6) Specification. RFC 2460 (Draft Standard), Updated by RFCs 5095, 5722, 5871, 6437 (December 1998)Google Scholar
  9. 9.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176 (2008)Google Scholar
  10. 10.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The Second-Generation Onion Router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)Google Scholar
  11. 11.
    Ehrenkranz, T., Li, J.: On the State of IP Spoofing Defense. ACM Transactions on Internet Technology (TOIT) 9(2) (2009)Google Scholar
  12. 12.
    Evans, N.S., Dingledine, R., Grothoff, C.: A Practical Congestion Attack on Tor Using Long Paths. In: USENIX Security Symposium, pp. 33–50. USENIX Association (2009)Google Scholar
  13. 13.
    Felten, E.W., Schneider, M.A.: Timing Attacks on Web Privacy. In: Jajodia, S. (ed.) Proceedings of the 7th ACM Conference on Computer and Communications Security, Greece, pp. 25–32. ACM Press (November 2000)Google Scholar
  14. 14.
    Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice), Updated by RFC 3704 (May 2000)Google Scholar
  15. 15.
    Gilad, Y., Herzberg, A.: Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments. In: Proceedings of USENIX Workshop on Offensive Technologies (August 2011)Google Scholar
  16. 16.
    Gilad, Y., Herzberg, A.: Spying in the Dark: TCP and Tor Traffic Analysis - Technical Report (April 2012),
  17. 17.
    Gont, F.: Security Assessment of the Internet Protocol Version 4. RFC 6274 (Informational) (July 2011)Google Scholar
  18. 18.
    Hintz, A.: Fingerprinting Websites Using Traffic Analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Kadloor, S., Gong, X., Kiyavash, N., Tezcan, T., Borisov, N.: Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks. In: ICC, pp. 1–5. IEEE (2010)Google Scholar
  20. 20.
    Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard) (December 2005)Google Scholar
  21. 21.
    Killalea, T.: Recommended Internet Service Provider Security Services and Procedures. RFC 3013 (Best Current Practice) (November 2000)Google Scholar
  22. 22.
    Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  23. 23.
    Larsen, M., Gont, F.: Recommendations for Transport-Protocol Port Randomization. RFC 6056 (Best Current Practice) (January 2011)Google Scholar
  24. 24.
    Levine, B.N., Reiter, M.K., Wang, C.-X., Wright, M.: Timing Attacks in Low-Latency Mix Systems. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 251–265. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  25. 25.
    Lyon, G.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (2009),
  26. 26.
    Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy Traffic Analysis of Low-Latency Anonymous Communication Using Throughput Fingerprinting. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 215–226. ACM (2011)Google Scholar
  27. 27.
    Murdoch, S.J., Danezis, G.: Low-Cost Traffic Analysis of Tor. In: IEEE Symposium on Security and Privacy, pp. 183–195. IEEE Computer Society (2005)Google Scholar
  28. 28.
    Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website Fingerprinting in Onion Routing Based Anonymization Networks. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES 2011, pp. 103–114. ACM, New York (2011)CrossRefGoogle Scholar
  29. 29.
    Postel, J.: Transmission Control Protocol. RFC 793 (Standard), Updated by RFCs 1122, 3168, 6093, 6528 (September 1981)Google Scholar
  30. 30.
    Pries, R., Yu, W., Fu, X., Zhao, W.: A New Replay Attack Against Anonymous Communication Networks. In: IEEE International Conference on Communications (ICC), pp. 1578–1582 (2008)Google Scholar
  31. 31.
    Sanfilippo, S.: A New TCP Scan Method (1998),
  32. 32.
    Sanfilippo, S.: About the IP Header ID (December 1998),
  33. 33.
    Wikipedia. Usage Share of Operating Systems (2011),
  34. 34.
    Zalewski, M.: Silence on the wire: a field guide to passive reconnaissance and indirect attacks. No Starch Press (2005)Google Scholar
  35. 35.
    Zander, S., Murdoch, S.J.: An Improved Clock-Skew Measurement Technique for Revealing Hidden Services. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 211–226. USENIX Association (2008)Google Scholar
  36. 36.
    Zhu, Y., Fu, X., Graham, B., Bettati, R., Zhao, W.: On Flow Correlation Attacks and Countermeasures in Mix Networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 207–225. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Yossi Gilad
    • 1
  • Amir Herzberg
    • 1
  1. 1.Department of Computer ScienceBar Ilan UniversityIsrael

Personalised recommendations