Spying in the dark: TCP and Tor traffic analysis

Yossi Gilad*, Amir Herzberg

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

38 Scopus citations


We show how to exploit side-channels to identify clients without eavesdropping on the communication to the server, and without relying on known, distinguishable traffic patterns. We present different attacks, utilizing different side-channels, for two scenarios: a fully off-path attack detecting TCP connections, and an attack detecting Tor connections by eavesdropping only on the clients. Our attacks exploit three types of side channels: globally-incrementing IP identifiers, used by some operating systems, e.g., in Windows; packet processing delays, which depend on TCP state; and bogus-congestion events, causing impact on TCP's throughput (via TCP's congestion control mechanism). Our attacks can (optionally) also benefit from sequential port allocation, e.g., deployed in Windows and Linux. The attacks are practical - we present results of experiments for all attacks in different network environments and scenarios. We also present countermeasures for these attacks.

Original languageAmerican English
Title of host publicationPrivacy Enhancing Technologies - 12th International Symposium, PETS 2012, Proceedings
Number of pages20
StatePublished - 2012
Externally publishedYes
Event12th International Symposium on Privacy Enhancing Technologies, PETS 2012 - Vigo, Spain
Duration: 11 Jul 201213 Jul 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7384 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference12th International Symposium on Privacy Enhancing Technologies, PETS 2012


Dive into the research topics of 'Spying in the dark: TCP and Tor traffic analysis'. Together they form a unique fingerprint.

Cite this