The DUSTER Attack: Tor Onion Service Attribution Based on Flow Watermarking with Track Hiding


Alfonso Iacovazzi, ST Engineering-SUTD Cyber Security Laboratory, Singapore University of Technology and Design; Daniel Frassinelli, CISPA, Helmholtz Center for Information Security, Germany; Yuval Elovici, Department of Software and Information Systems Engineering and Cyber Security Research Center, Ben-Gurion University of the Negev, Israel, and iTrust—Centre for Research in Cyber Security, Singapore University of Technology and Design, Singapore


Tor is a distributed network composed of volunteer relays which is designed to preserve the sender-receiver anonymity of communications on the Internet. Despite the use of the onion routing paradigm, Tor is vulnerable to traffic analysis attacks. In this paper we present Duster, an active traffic analysis attack based on flow watermarking that exploits a vulnerability in Tor's congestion control mechanism in order to link a Tor onion service with its real IP address. The proposed watermarking system embeds a watermark at the destination of a Tor circuit which is propagated throughout the Tor network and can be detected by our modified Tor relays in the proximity of the onion service. Furthermore, upon detection the watermark is cancelled so that the target onion service remains unaware of its presence. We performed a set of experiments over the real Tor network in order to evaluate the feasibility of this attack. Our results show that true positive rates above 94% and false positive rates below 0.05% can be easily obtained. Finally we discuss a solution to mitigate this and other traffic analysis attacks which exploit Tor's congestion control.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {242038,
author = {Alfonso Iacovazzi and Daniel Frassinelli and Yuval Elovici},
title = {The {DUSTER} Attack: Tor Onion Service Attribution Based on Flow Watermarking with Track Hiding},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {213--225},
url = {},
publisher = {USENIX Association},
month = sep,