Detecting Denial of Service Attacks in Tor

Similar documents
0x1A Great Papers in Computer Security

A SIMPLE INTRODUCTION TO TOR

Design and Analysis of Efficient Anonymous Communication Protocols

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Anonymous communications: Crowds and Tor

Practical Anonymity for the Masses with MorphMix

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Metrics for Security and Performance in Low-Latency Anonymity Systems

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

CS526: Information security

CE Advanced Network Security Anonymity II

Protocols for Anonymous Communication

ENEE 459-C Computer Security. Security protocols

Avoiding The Man on the Wire: Improving Tor s Security with Trust-Aware Path Selection

Sleep/Wake Aware Local Monitoring (SLAM)

ENEE 459-C Computer Security. Security protocols (continued)

the Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford

Anonymity. With material from: Dave Levin and Michelle Mazurek

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Tor Hidden Services. Roger Dingledine Free Haven Project Electronic Frontier Foundation.

Tor. Tor Anonymity Network. Tor Basics. Tor Basics. Free software that helps people surf on the Web anonymously and dodge censorship.

Circuit Fingerprinting Attack: Passive Deanonymization of Tor Hidden Services

An On-demand Secure Routing Protocol Resilient to Byzantine Failures. Routing: objective. Communication Vulnerabilities

Anonymous Communication and Internet Freedom

An On-demand Secure Routing Protocol Resilient to Byzantine Failures

Anonymous Communication and Internet Freedom

arxiv: v1 [cs.cr] 30 Jun 2017

Analyzing the Effectiveness of Passive Correlation Attacks on the Tor Anonymity Network

Strongly Anonymous Communications in Mobile Ad Hoc Networks

One Fast Guard for Life (or 9 months)

CS 134 Winter Privacy and Anonymity

Karaoke. Distributed Private Messaging Immune to Passive Traffic Analysis. David Lazar, Yossi Gilad, Nickolai Zeldovich

Anonymity. Assumption: If we know IP address, we know identity

Secure Multiparty Computation

Onion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J

Onion Routing. Varun Pandey Dept. of Computer Science, Virginia Tech. CS 6204, Spring

Analysing Onion Routing Bachelor-Thesis

Anonymous Communications

How Alice and Bob meet if they don t like onions

How to (not) Share a Password:

Anonymity With material from: Dave Levin

2 ND GENERATION ONION ROUTER

Wireless Network Security : Spring Arjun Athreya March 3, 2011 Survey: Trust Evaluation

What's the buzz about HORNET?

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

How to (not) Share a Password:

MTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu

Anonymity, Usability, and Humans. Pick Two.

Trojan-tolerant Hardware

OnlineAnonymity. OpenSource OpenNetwork. Communityof researchers, developers,usersand relayoperators. U.S.501(c)(3)nonpro%torganization

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science. Masters Thesis

Tor: An Anonymizing Overlay Network for TCP

Trust-based Anonymous Communication: Adversary Models and Routing Algorithms

The Tor Network. Cryptography 2, Part 2, Lecture 6. Ruben Niederhagen. June 16th, / department of mathematics and computer science

Introduction to Secure Multi-Party Computation

OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018

1 A Tale of Two Lovers

CNT Computer and Network Security: Privacy/Anonymity

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

Resource-Efficient Mining (REM) with Proofs of Useful Work (PoUW)

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Low-Cost Traffic Analysis of Tor

How to Break and Repair Leighton and Micali s Key Agreement Protocol

Dropping on the Edge: Flexibility and Traffic Confirmation in Onion Routing Protocols

Online Anonymity & Privacy. Andrew Lewman The Tor Project

Anonymity Tor Overview

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

CPSC 467b: Cryptography and Computer Security

Message Authentication ( 消息认证 )

BBC Tor Overview. Andrew Lewman March 7, Andrew Lewman () BBC Tor Overview March 7, / 1

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

Herbivore: An Anonymous Information Sharing System

Anomaly Detection in Cyber Physical Systems

Analysis and Enhancement of RPL under Packet Drop Attacks

P 5 : A Protocol for Scalable Anonymous Communications

Anonymity With Tor. The Onion Router. July 21, Technische Universität München

On the Survivability of Routing Protocols in Ad Hoc Wireless Networks

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Scalable privacy-enhanced traffic monitoring in vehicular ad hoc networks

Anonymous communication with on-line and off-line onion encoding

Design and Implementation of Privacy-Preserving Surveillance. Aaron Segal

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis

LINKING TOR CIRCUITS

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

SAS-Based Group Authentication and Key Agreement Protocols

Privacy SPRING 2018: GANG WANG

PrivCount: A Distributed System for Safely Measuring Tor

CPSC 467: Cryptography and Computer Security

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

Secure Multi-Party Computation. Lecture 13

Public-key Cryptography: Theory and Practice

Inferring the Source of Encrypted HTTP Connections

Anonymity. Christian Grothoff.

Security Protections for Mobile Agents

Dissent: Accountable Anonymous Group Communication

Transcription:

Norman Danner Danny Krizanc Marc Liberatore Department of Mathematics and Computer Science Wesleyan University Middletown, CT 06459 USA Financial Cryptography and Data Security 2009

Outline 1 Background Selective Denial of Service Attack 2

How Tor Works Retrieving the list of Tor nodes Background Selective Denial of Service Attack Alice retrieves a list of Tor nodes from a trusted directory server.

How Tor Works Creating the circuit Background Selective Denial of Service Attack Alice chooses a node and creates a circuit.

How Tor Works Extending the circuit Background Selective Denial of Service Attack Alice instructs the current endpoint to extend the circuit.

How Tor Works Extending the circuit again Background Selective Denial of Service Attack Alice instructs the new endpoint to extend the circuit.

How Tor Works Using the circuit Background Selective Denial of Service Attack Alice tunnels traffic through the circuit. Traffic is only readable between exit node and Bob.

The Correlation Attack Background Selective Denial of Service Attack Malicious nodes can passively collude to link Alice and Bob. α = c n malicious implies α 2 probability of compromise.

Path Reformation Alice forms a path Background Selective Denial of Service Attack Alice is happily using Tor.

Path Reformation Death of a Tor node Background Selective Denial of Service Attack When a node dies, Alice loses use of the circuit.

Path Reformation Re-forming the path Background Selective Denial of Service Attack Alice will re-form a path with new Tor nodes.

The Adaptive Adversary The setup Background Selective Denial of Service Attack Alice is using Tor, and some nodes are under attacker control.

The Adaptive Adversary The attack Background Selective Denial of Service Attack Attacker kills any path where the endpoints are not under his control.

The Adaptive Adversary The attack Background Selective Denial of Service Attack Alice is forced to make a circuit where either: Attacker controls endpoints, or No nodes are attacker controlled

Background Selective Denial of Service Attack The Adaptive Adversary Power of the attack 1 Probability of path compromise 0.8 0.6 0.4 0.2 passive adversary adaptive adversary 0 0 0.2 0.4 0.6 0.8 1 Fraction of compromised nodes

Background Selective Denial of Service Attack The Adaptive Adversary Smart adversaries control exit nodes 1 Probability of path compromise 0.8 0.6 0.4 0.2 passive, only exit nodes adaptive adversary, only exit nodes 0 0 0.2 0.4 0.6 0.8 1 Fraction of compromised nodes

Our contributions: An O(n) algorithm for finding attackers among n participants An examination of a smarter attacker and ensuing arms race Results of examining the actual Tor network

Assumptions Naive attacker follows previous description. Deliberate circuit kills happen quickly. n nodes total, of which c are compromised (attacker-controlled). 2 c < n Circuit length k is fixed. k < n

Sketch of the Detection Algorithm Choose a set of two nodes X = {x 1, x 2 } arbitrarily. For each node y where y / X, probe the circuit (x 1, y, x 2 ). One of three things will happen.

Sketch of the Detection Algorithm Case 1 All probes of circuits of the form (x 1, y, x 2 ) succeed. x 1 and x 2 are compromised. For any other node y, test with the probe (x 1, x 2, y).

Sketch of the Detection Algorithm Case 2 While probing all circuits of the form (x 1, y, x 2 ), at least one probe succeeds and at least one probe fails. x 1 and x 2 are uncompromised. Any y for which the probe failed is compromised; any y where it succeeded is uncompromised.

Sketch of the Detection Algorithm Case 3 All probes of circuits of the form (x 1, y, x 2 ) fail. One of x 1, x 2 is compromised, or both are honest and all others are compromised. Probe all circuits of the form (x 1, x 2, y) and (x 2, x 1, y). One of two things will happen.

Sketch of the Detection Algorithm Case 3a While probing all circuits of the form (x 1, x 2, y), at least one probe succeeds and at least one probe fails. x 2 is uncompromised, x 1 is compromised. Any y for which the probe succeeded is compromised. Same result holds for circuits of the form(x 2, x 1, y). Case 3b While probing all circuits of the form (x 1, x 2, y) and (x 1, x 2, y), all probes fail. x 1, x 2 are honest, and all other nodes are compromised.

Proof of Algorithm s Correctness The detection algorithm can be generalized to any fixed k. Theorem Under our assumptions, using O(n) probes we can detect all of the compromised nodes in a network. For k = 3, the number of probes required is at most 3n. Proof. See paper.

What About Error? Circuits fail for various reasons all the time: Network errors Onion shutdowns Attackers?

Multiple Measurements Probability of correctness Assume circuits have a natural failure probability of f. Assume a probe is repeated independently l times, then p probe correct (1 f l ) If the algorithm performs m probes, p alg correct (1 f l ) m.

Multiple Measurements Limits on error Require correct identification (honest or compromised) p id correct (1 ɛ). Then: l > ln ln( 1 1 ɛ ) ln m ln f For reasonable values in the Tor network, l = 10 is sufficient.

Does Selective Circuit Killing Help the Attacker? Less frequent circuit kills help hide the attacker A smart attacker can do the previous analysis. Killing circuits less often: requires the observer to perform more probes to find the adversary (but they ll always be found, in the limit), but negatively impacts the attacker s performance. As p circuit kill 0, the attacker becomes the passive adversary.

Probabilistic Circuit Killing is Counterproductive Probability of circuit compromise 1 0.8 0.6 0.4 0.2 30% of exits compromised 50% of exits compromised 65% of exits compromised 80% of exits compromised 100% of exits compromised 0 0 0.2 0.4 0.6 0.8 1 Probability of circuit kill Gains come when circuit kill (and detection) is very likely!

What is a Circuit Failure? Circuits can fail at many points: At any point during creation At the start of application-layer traffic During application-layer traffic

Observed Circuit Failures Circuits launched 4995 Circuit failure at hop 1 106 (2.1%) Circuit failure at hop 2 258 (5.2%) Circuit failure at hop 3 640 (12.8%) Total circuit construction failures 1004 (20.1%) (minimal data) curl processes launched 3010 No reply or timeout 537 (17.8%) (low data) Partial file 6 (0.2%) (high data)

Simplifying Assumptions Assume a trustworthy guard g node not known to the adversary. Assume attacker only compromises exit nodes. Assume circuits of length 2 can be created.

A Simplified, Practical Detection Algorithm Finding suspects For each Tor node y, create a circuit of the form (g, y) and attempt a file retrieval over this circuit. (Repeat l times.) If the file retrieval fails, add that y to the list of suspects, s 1, s 2,...

A Simplified, Practical Detection Algorithm Finding guilt For each pair of suspects, create a circuit of the form (s i, s j ), and attempt a file retrieval over this circuit. (Repeat l times.) If the file retrieval succeeds, add those suspects to the list of likely guilty nodes. Guilt is more likely if the guilty nodes form a clique that is, they can communicate among one another but not with other nodes.

Results We searched for suspects among active Tor nodes in October 2008. l = 20, l = 10, suspicion threshold (failure rate) of 50% About 20 suspects per test, though 50 unique nodes were identified as suspects. Two to five of the suspects seemed guilty, but... the list of guilty suspects were typically disjoint from test-to-test! (Guilty only of transient failures?)

Weaknesses Several problems in the study prevent us from having high confidence in the guilt of nodes: How independent were our trials? (We interleaved, but inter-trial delay was on the order of minutes.) How are failures in the network distributed? (We assumed transient failures were independent and memoryless probably unrealistic. We also assumed the error rate we observed was natural.) Would a smarter attacker be watching for and attempting to foil this algorithm? (We assumed not.)

Selective denial of service among Tor nodes can be detected in 3n probes. No strong evidence of this attack was found (last October).

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback