Does TunnelVision effect Tor?

Hello, I know TunnelVision (malicious DHCP on a connected network such as a free Wifi location) effects VPNs and it should in my limit knowledge effect even double hop VPNs. Does a malicious DHCP on a network effect Tor in any sort of way?

If yes or no can some one please explain why?

Tried to look in to this myself but have not seen any other person ask this question or mention it in any meaningful way.

1 Like

After reading a number of articles on this DHCP tunnelvision attack I will say NO. I am not a Tor expert.

Here is a quote from the best article for which I have no connection.

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

All the other articles say the same thing and use the same workflow image. Only this one confirms what I was thinking: unencrypted traffic.

Now the Tor Browser makes all the onion rings necessary (not to be confused with .onion sites) for the destination web site to respond to a query whose reponse is wrapped in onion rings when it comes back. (entry-middle-exit)

What is left? source and destination addresses. The rogue network sees a Tor entry node and the destination web site sees a public WiFi place in a geo-location. Big deal. OK, so a rogue destination can cause damage but this has nothing to do with DHCP tunnelvision nor Tor.

No one explains what info can be harvested using this attack on unencrypted traffic and its worth: DNS, IP addresses. Even google searches have been encrypted since about 2014. And DNS can now be done using https.

As an example I picked a GoDaddy IP at random,, and found there are about 380 domains serviced by this IP. So the rogue network has this IP. Big deal.

Can you give us your concerns about this attack? Can anyone else?

Edited later:
TLDR; I found one here: This is long and explains how it was found out. I only scanned it briefly

We’ve seen one mitigation for this technique, as well as identified a fix that exists on Linux-based operating systems. However, the mitigation offers a side channel that could be used for targeted denial-of-service censorship, as well as to de-anonymize the destination of traffic via traffic analysis. In some places in the world, the side-channel alone could lead to imprisonment or death for those who rely on VPNs for safety such as journalists or whistleblowers who are common targets of surveillance or spyware.

If this is you then get out your Go to jail card. Do not pass GO, do not collect $200.


Thank you, just making sure what it seems is the onion rings between Tor Relaya is encrypted and are only partially decrypted at the Relay.

In effect it would be Bad Router sees Tor Entry Relay but can not see the next step as it is encrypted. Because of this it can not know the Middle Relay or Exit which means identifying users is the same as it has always been - Needing cooperation of multiple bad Relays in a chain or an exploit that is ran via a website or download.

Or very impressive global timing correlations.

1 Like

I completely read that last article from the Leviathan Security Group
There was never any mention of identifying a user with this. There was not any mention of this every being implemented anywhere. It was a good lab project investigating a potential loophole.

In any case (for those reading this in a rogue state) you can check the routing table. You need to know how to read the info which comes out. You can Bing it or Google it. Since this is Tor you can Duck it. :wink:

Windows: netstat -rn
Linux: ip route show