Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network

Size: px

Start display at page:

Download "Digging into Anonymous Traffic: A Deep Analysis of the Tor Anonymizing Network"

Duane Kennedy
6 years ago
Views:

1 1 / 37 Digging into Anonymous Traffic: A Deep Analysis of the Anonymizing Network Abdelberi Chaabane, Pere Manils, Mohamed Ali Kaafar INRIA Rhônes-Alpes, FRANCE pere.manils@inrialpes.fr NSS, September 3rd, 2010

2 2 / 37 Outline 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

3 3 / 37 Outline 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

4 4 / 37 What is? A low-latency anonymizing network. Only TCP traffic. Volunteer-based infrastructure nodes. Main goal Prevent linking communication partners.

5 5 / 37 : Illustration (1)

6 6 / 37 : Illustration (2)

7 7 / 37 : Illustration (3)

8 8 / 37 Our Experiments Took place at the exit node side. Deployed 6 exit nodes. Monitored them.

9 9 / 37 Outline 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

10 The most used P2P network. Peers share files. Main entities Peers: share content between them (TCP). Trackers: help peers to know which other peers share a particular content (HTTP-TCP). 10 / 37

11 11 / 37 : Illustration

12 12 / 37 Outline Deep Packet Inspection The Unknown Traffic 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

13 13 / 37 Deep Packet Inspection The Unknown Traffic Which Protocols are Run on Top of? Exit nodes establish connections on behalf of users... we can obtain aggregated statistics from them. McCoy et al. 1 already did it in Shining Light in Dark Places: Understanding the Network, PETS 08

14 Deep Packet Inspection The Unknown Traffic Deep Packet Inspection Why DPI? More accurate results than a port-based approach. What is it? How? Technique that digs into packets (header+payload) to collect useful information (application recognition, viruses, protocol non-compilance, etc.). Self-modified version of OpenDPI ( 14 / 37

15 Deep Packet Inspection The Unknown Traffic DPI Results 40% of discarded flows (less than 4 packets) Protocol Size (%) Flows (%) HTTP (clear) SSL Others P2P/ file sharing Insecure (ftp, , etc.) Instant Messaging Other well-known protocols Unknown Total GB 6905 K 15 / 37

16 16 / 37 Outline Deep Packet Inspection The Unknown Traffic 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

17 17 / 37 Deep Packet Inspection The Unknown Traffic Digging into the Unknown Traffic Unknown: 25% of traffic, 6% of flows. evidences P2P traffic: few connections and high traffic volume. Identified : 25% traffic, 4.5% flows Random destination ports (contacting peers). Why our DPI did not reconize it??? Encrypted data (high entropy).

18 18 / 37 Hijacking Tracker Responses Deep Packet Inspection The Unknown Traffic 53% of encrypted handshakes!

19 19 / 37 Outline Usage 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

20 20 / 37 over Usage What kind of content they visit through? What kind of websites?

21 Usage Category of Visited Web Pages Method Extract the Host header from HTTP requests. Use Trend Micro URL Query service to get the category. Group web sites into categories. Rank Category Percentage 1 Search Engines/Portals 14.45% 2 Pornography 11.50% 3 Computers/Internet 11.45% 4 Social Networking 9.52% 11 Blogs/Web Communications 2.26% 13 StreamingMedia/MP3 1.82% 14 Software Downloads 1.66% 36 Hacking 0.3% 40 Political 0.18% 21 / 37

22 22 / 37 Outline Usage 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

23 23 / 37 Usage over Usage How do users use? What are they downloading through?

24 Usage Usage over configured with to anonymize... Tracker connections. Peer connections (harmful!). Both (harmful!). 24 / 37

25 25 / 37 Usage Remember: Hijacking the Tracker Responses

26 + : Usage Usage Tracker-only vs. Content Distribution content tracker Fraction of Peers all Days Only 30% of -over- users download content 26 / 37

27 Usage Downloaded Files Method Extract infohashes from messages. Resolve the infohash into the file name. Consider the frequency to draw a word cloud. 36% infohashes not resolved exsitence of darknets 2 2 Zhang et al. Darknets, Infocom / 37

28 28 / 37 First 30 Most Requested Files Usage Copyrighted files!!!

29 29 / 37 Outline 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

30 30 / 37 Exit Nodes as 1-hop Proxies is... (for bad guys) A reliable SOCKS proxy. Encrypted traffic. But slow!! (3 hops). Use the exit nodes directly! ( tunnel)

31 31 / 37 Exit Nodes as 1-hop Proxies Normal use (3 hops): tunnel (1 hop):

32 Detecting Tunnels Method Monitor control messages asking the exit node to initiate new Internet connections. Are the messages coming from an other node or from an unknown IP address? OR* Unique IP Once Once Always Always connections addresses OR non OR OR non OR *OR = Onion Router = node 32 / 37

33 33 / 37 Outline 1 2 Deep Packet Inspection The Unknown Traffic 3 Usage 4 5

34 34 / 37 Detailed analysis of the anonymized traffic traveling through. HTTP Demonstrated the importance of traffic over ( 50%). How some users abuse exit nodes as 1-hop proxies.

35 35 / 37 Questions Thank you for your attention. Any questions?

Digging into Anonymous Traffic: a deep analysis of the Tor anonymizing network

Digging into Anonymous Traffic: a deep analysis of the Tor anonymizing network Abdelberi Chaabane, Pere Manils, Mohamed Ali Kaafar INRIA Rhône-Alpes Grenoble, France {chaabane, manils, kaafar}@inrialpes.fr