1 / 22

Detecting Traffic Snooping in Tor Using Decoys

RAID 2011 Sanbuddho Chakravarty , Georgios Portokalidis , Michalis Polychronakis , Angilos D. Keronytis Columbia University, NY, USA. Detecting Traffic Snooping in Tor Using Decoys. 報告者 : 張逸文. Outline. Introduction Background System Architecture Deployment Results

kaloni
Download Presentation

Detecting Traffic Snooping in Tor Using Decoys

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RAID 2011 SanbuddhoChakravarty, GeorgiosPortokalidis, MichalisPolychronakis, Angilos D. Keronytis Columbia University, NY, USA Detecting Traffic Snooping in Tor Using Decoys 報告者: 張逸文

  2. Outline • Introduction • Background • System Architecture • Deployment Results • Discussion and Future work • Related work • Conclusion

  3. Introduction(1/2) • Anonymity and privacy-preserving systems • Tor[15], , Anonymizer • Operating by routing user traffic through a single or multiple proxies, often using layered encryption schemes • Absenceofend-to-endencryption • Man-in-the-middleattacks • HTTPSswitchtoplainHTTP

  4. Introduction(2/2) • Usingdecoytraffictodetecteavesdroppinginproxyingarchitecturesandinparticularanonymouscommunicationsystems • Other uses of decoy traffic: unprotected wireless network[9], warn of insider threats[8] • Multiple “bait” credentials for IMAP and SMTP servers

  5. Background • Tor Anonymity Network • The most widely used low latency anonymity networks • Users can hide their IP => Hidden services • How it works? • Threat Model • Malicious exit nodes • Extracting credentials, eavesdropping private information • Intercept the traffic of SSL connections

  6. System Architecture(1/6) • Approach • Network eavesdropping is a passive operationwithout observable effects • Credentials without application-layer encryption can be used by the eavesdropper => observable • We entice a prospective snooper to use intercepted decoy credentials for accessing a service under control

  7. System Architecture(2/6)

  8. System Architecture(3/6) • Implementation • Choosing a set of services that • are supported by a large number of Tor exit nodes • support unencrypted authentication by a clear-text protocol • The number of Tor exit nodes that allowed the relaying of traffic through various TCP port numbers • IMAP(port 143) and SMTP (port 587) protocols

  9. System Architecture(4/6)

  10. System Architecture(5/6) • Decoy Traffic Transmission and Eavesdropping Detection • Client:implemented using Perl and service protocol emulation is provided by Net : : IMAPClient and Net : : SMTP modules • Client is hosted on Ubuntu Server Linux v8.04 • The client creates one connection to each decoy server every day through each Tor exit node (supported) • An exit node ties with a set of credentials for each decoy service

  11. System Architecture(6/6) • Decoy services:Courier IMAP v4.6.0 & Postfix v2.7.0 • Illegitimate connections are identified by logs recorded at client and server • Important implementation considerations • Time synchronization => Network Time Protocol • Amount and Quality of Decoy Traffic • The believability of the decoy traffic [9] • Eavesdropping Incident Verification

  12. Deployment Results • August ,2010 ~ May ,2011 • Ten traffic interception incidents all received by decoy IMAP server • Table 1. • Available bandwidth of the malicious exit nodes • Locations of the Tor exit nodes involved in the observed incidents • Geo-IP tool

  13. Discussion and Future work(1/4) • Detection confidence • The ease of installing and operating a Tor exit node • The host system may lack of software patches / have poor security • Connecting back to the decoy server from the same exit node • Future work • Using multiple replicas of the decoy servers scattered in different networks and associate different sets of credentials

  14. Discussion and Future work(2/4) • Decoy Traffic Credibility • Increasing the number and diversity of the innocuous email messages in SMTP traffic • Containing bait documents that would ping back to our system • Capturing network traces of protocol interactions using various real IMAP clients and servers

  15. Discussion and Future work(3/4) • Detection of HTTP Session Hijacking • Some sites switch back to HTTP after the user has logged in • Users are ignorant about HTTPS • Attackers can steal the session cookie in the HTTP requests of authenticated users • Futurework • detecting HTTP session hijacking attacks by the use of decoy accounts

  16. Discussion and Future work(4/4) • Traffic Eavesdropping and Anonymity Degradation • Reducing anonymity set • Eavesdropping Detection as a Network Service • Honeynet-based system • Used as an eavesdrop detection system

  17. Related work(1/2) • Clifford Stoll • The Cuckoo’s Egg:trapping an intruder that broke into the systems of the Lawrence Berkeley National Laboratory • Honeypots have been extensively used for modeling, logging and analyzing attacks • Honeytokens • pieces of information. After the adversary release it, any subsequent use of if can clearly indicate unauthorized access

  18. Related work(2/2) • Bowen et al. • WiFi traffic as a basis for the generation of decoy traffic with realistic network interactions • McCoy et al. • taking advantage of the IP address resolution functionality of network traffic capturing tools • The functionality may disabled by the eavesdropper

  19. conclusion • Applying decoy user credentials for the detection of traffic interception in anonymity network • Detected ten cases in which decoy credentials were used by a third-party to log in to servers under our control • How the proposed method can be extended for the detection of HTTP session hijacking attacks

  20. Thanks & 金盾加油!!

More Related