Our Use of RIPE Atlas in Our Work on The Effect of DNS on Tor s Anonymity

Size: px

Start display at page:

Download "Our Use of RIPE Atlas in Our Work on The Effect of DNS on Tor s Anonymity"

Melinda Watts
6 years ago
Views:

1 Our Use of RIPE Atlas in Our Work on The Effect of DNS on Tor s Anonymity Benjamin Greschbach KTH Royal Institute of Technology Tobias Pulls Karlstad University Laura M. Roberts Princeton University Philipp Winter Princeton University Nick Feamster Princeton University October 5, / 43

2 This talk will guide you through the details of how we used RIPE Atlas to perform our Internet-scale simulations. 2 / 43

3 This talk will guide you through the details of how we used RIPE Atlas to perform our Internet-scale simulations. Background 3 / 43

4 This talk will guide you through the details of how we used RIPE Atlas to perform our Internet-scale simulations. Background Our use of RIPE Atlas 4 / 43

5 This talk will guide you through the details of how we used RIPE Atlas to perform our Internet-scale simulations. Background Our use of RIPE Atlas Results 5 / 43

6 Background 6 / 43

7 This work appeared at NDSS / 43

8 I spoke about our work at RIPE / 43

9 Tor is an anonymity network. 9 / 43

10 Relay operators and developers make Tor work. Relay operators who donate their computers resources 10 / 43

11 Relay operators and developers make Tor work. Developers who maintain the code Relay operators who donate their computers resources 11 / 43

12 Relay operators and developers make Tor work. Developers who maintain the code Tor users depend on these operators and developers of Tor for the safety of their information online. Relay operators who donate their computers resources 12 / 43

13 Tor has adversaries. 13 / 43

14 Our goal was to show that the domain name system (DNS) can be used to compromise Tor and to provide recommendations. 14 / 43

15 Contributions We discovered that DNS exposes Tor users behavior to more adversaries than previously thought. (We focus on autonomous systems as adversaries in our work.) We discovered that Google gets to learn a lot about what websites Tor users are visiting via DNS. We created proof-of-concept deanonymization attacks ( DefecTor attacks) that take advantage of DNS. We performed simulations at Internet-scale in order to understand how our attacks could affect real people 15 / 43

Contributions We discovered that DNS exposes Tor users behavior to more adversaries than previously thought. (We focus on autonomous systems as adversaries in our work.

16 Contributions We discovered that DNS exposes Tor users behavior to more adversaries than previously thought. (We focus on autonomous systems as adversaries in our work.) We discovered that Google gets to learn a lot about what websites Tor users are visiting via DNS. We created proof-of-concept deanonymization attacks ( DefecTor attacks) that take advantage of DNS. We performed simulations at Internet-scale in order to understand how our attacks could affect real people. 16 / 43

17 Our use of RIPE Atlas 17 / 43

18 We quantify the likelihood that any AS is in position to mount DefecTor attacks. Tor tra c WF attack DNS requests DNS server Guard Exit DNS HTTP User The Tor network Web server 18 / 43

19 An AS needs to be on both ends of the Tor network in order to mount DefecTor attacks. Tor tra c WF attack DNS requests DNS server Guard Exit DNS HTTP User The Tor network Web server 19 / 43

20 An AS needs to be on both ends of the Tor network in order to mount DefecTor attacks. Tor tra c WF attack DNS requests DNS server Guard Exit DNS HTTP User The Tor network Web server 20 / 43

21 An AS needs to be on both ends of the Tor network in order to mount DefecTor attacks. 21 / 43

22 An AS needs to be on both ends of the Tor network in order to mount DefecTor attacks. Tor tra c WF attack DNS requests DNS server Guard Exit DNS HTTP User The Tor network Web server 22 / 43

23 We simulate Tor user activity with Tor Path Simulator (TorPS). Tor tra c WF attack DNS requests DNS server Guard Exit DNS HTTP User The Tor network Web server 23 / 43

24 We simulate Tor user activity with Tor Path Simulator (TorPS). Tor tra c WF attack DNS requests DNS server Guard Exit DNS HTTP User The Tor network Web server 24 / 43

25 We simulate Tor user activity with Tor Path Simulator (TorPS). March am EST: Gmail and Twitter 12pm: Google Calendar and Google Docs User 3pm: Facebook and Instagram DNS 6pm: google.com, startpage.com, and ixquick.com 6:20pm: google.com, startpage.com, and ixquick.com TP Web server 25 / 43

26 We simulate Tor user activity with Tor Path Simulator (TorPS). Our user model made 12 website visits per day for 31 days Had TorPS create a 100,000-sample simulation for us Each sample had 372 opportunities to be compromised by an AS because 12 website visits * 31 days = 372 circuits, or streams 26 / 43

27 We placed our simulated user in five popular Tor ASes. United States - Comcast Russia - Rostelecom Germany - Deutsche Telekom France - Orange U.K. - British Telecom 27 / 43

28 We analyzed four Tor exit relay DNS set-up scenarios. First, what if all Tor exit relays were set up to use their ISPs resolvers? 28 / 43

29 We analyzed four Tor exit relay DNS set-up scenarios. First, what if all Tor exit relays were set up to use their ISPs resolvers? Second, what if all Tor exit relays were set up to use Google s public resolver? 29 / 43

30 We analyzed four Tor exit relay DNS set-up scenarios. First, what if all Tor exit relays were set up to use their ISPs resolvers? Second, what if all Tor exit relays were set up to use Google s public resolver? Third, what if all Tor exit relays were set up to do their own DNS resolution 30 / 43

31 We analyzed four Tor exit relay DNS set-up scenarios. First, what if all Tor exit relays were set up to use their ISPs resolvers? Second, what if all Tor exit relays were set up to use Google s public resolver? Third, what if all Tor exit relays were set up to do their own DNS resolution Fourth, what if all Tor exit relays were set up as they currently are? 31 / 43

32 We did not use AS path inference to obtain AS-level paths. 32 / 43

33 We preferred to use traceroutes to obtain AS-level paths. 33 / 43

34 We obtained AS-level paths using traceroutes via RIPE Atlas. 34 / 43

35 RIPE Atlas probe coverage of Tor guard and exit relay ASes in May Atlas probe coverage Tor guard ASes (%) Tor exit ASes (%) By number By bandwidth / 43

36 Here are the RIPE Atlas traceroutes we ran for the ingress side. Ingress side traceroutes From RIPE Atlas probes in the five ISPs to all guard relay IP addresses used in March / 43

37 Here are the traceroutes we ran for our four Tor exit relay DNS resolution scenarios. Egress side traceroutes ISP DNS only: no traceroutes Google DNS only: traceroutes from co-located RIPE Atlas probes to Local DNS only: traceroutes from co-located RIPE Atlas probes to all IP addresses in our websites delegation paths Status quo: traceroutes from co-located RIPE Atlas probes to IP addresses of the resolvers that exit relays actually use 37 / 43

38 Results 38 / 43

39 RIPE Atlas allowed us to study the fraction of compromised streams for our four DNS scenarios. 39 / 43

40 RIPE Atlas allowed us to study the fraction of compromised streams for our four DNS scenarios. 40 / 43

41 RIPE Atlas allowed us to study the fraction of compromised streams for our four DNS scenarios. 41 / 43

42 In summary, RIPE Atlas played a key role in our security paper. 42 / 43

43 In summary, RIPE Atlas played a key role in our security paper. Our paper, data, code, and replication instructions can be found at Contact me at laurar@cs.princeton.edu. 43 / 43

Studying Transna.onal Rou.ng Detours through Surveillance States

Studying Transna.onal Rou.ng Detours through Surveillance States Annie Edmundson, Roya Ensafi, Nick Feamster, Jennifer Rexford Princeton University RIPE 73 October 24 th -28 th, 2016 1 Characterizing and