Author
Listed:
- Ran Xin
(Faculty of Applied Sciences, Macao Polytechnic University, Macao 999078, China)
- Yapeng Wang
(Faculty of Applied Sciences, Macao Polytechnic University, Macao 999078, China)
- Xiaohong Huang
(Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China)
- Xu Yang
(Faculty of Applied Sciences, Macao Polytechnic University, Macao 999078, China)
- Sio Kei Im
(Faculty of Applied Sciences, Macao Polytechnic University, Macao 999078, China)
Abstract
This research introduces a novel de-anonymization technique targeting the Tor network, addressing limitations in prior attack models, particularly concerning router positioning following the introduction of bridge relays. Our method exploits two specific, inherent protocol-level vulnerabilities: the absence of a continuity check for circuit-level cells and anomalous residual values in RELAY_EARLY cell counters, working by manipulating cell headers to embed a covert signal. This signal is composed of reserved fields, start and end delimiters, and a payload that encodes target identifiers. Using this signal, malicious routers can effectively mark data flows for later identification. These routers employ a finite state machine (FSM) to adaptively switch between signal injection and detection. Experimental evaluations, conducted within a controlled environment using attacker-controlled onion routers, demonstrated that the embedded signals are undetectable by standard Tor routers, cause no noticeable performance degradation, and allow reliable correlation of Tor users with public services and deanonymization of hidden service IP addresses. This work reveals a fundamental design trade-off in Tor: the decision to conceal circuit length inadvertently exposes cell transmission characteristics. This creates a bidirectional vector for stealthy, protocol-level de-anonymization attacks, even though Tor payloads remain encrypted.
Suggested Citation
Ran Xin & Yapeng Wang & Xiaohong Huang & Xu Yang & Sio Kei Im, 2025.
"Cell-Sequence-Based Covert Signal for Tor De-Anonymization Attacks,"
Future Internet, MDPI, vol. 17(9), pages 1-26, September.
Handle:
RePEc:gam:jftint:v:17:y:2025:i:9:p:403-:d:1742075
Download full text from publisher
Corrections
All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:gam:jftint:v:17:y:2025:i:9:p:403-:d:1742075. See general information about how to correct material in RePEc.
If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.
We have no bibliographic references for this item. You can help adding them by using this form .
If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.
For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: MDPI Indexing Manager (email available below). General contact details of provider: https://www.mdpi.com .
Please note that corrections may take a couple of weeks to filter through
the various RePEc services.
Printed from https://ideas.repec.org/a/gam/jftint/v17y2025i9p403-d1742075.html
My bibliography
Save this article