1 / 16

Predicting Tor Path Compromise by Exit Port

Destination Host . Exit Router. Tor Network. Predicting Tor Path Compromise by Exit Port . Middle Router. Client . Entry Guard. Circuit. Kevin Bauer , Dirk Grunwald, and Douglas Sicker University of Colorado. Directory Server. IEEE WIDA 2009 December 16, 2009 .

luce
Download Presentation

Predicting Tor Path Compromise by Exit Port

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Destination Host Exit Router Tor Network Predicting Tor Path Compromise by Exit Port Middle Router Client Entry Guard Circuit Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Directory Server IEEE WIDA 2009 December 16, 2009

  2. Tor: Anonymity for TCP Applications Last hop knows the destination Colluding entry and exit routers can use simple timing analysis to de-anonymize the client and destination [Serjantov et al., 2003; Levine et al., 2004] First hop knows the client Destination Host Exit Router Tor Network Middle Router Client Entry Guard Circuit Directory Server Router List Tor provides anonymity for TCPby tunneling traffic through a virtual circuitof three Tor routers using layered encryption 1

  3. Prior Attacks Against Tor Last hop knows the destination Prior work showed that the likelihood of circuit compromise in Tor is relatively high[Bauer et al., 2007] First hop knows the client Destination Host Exit Router Tor Network Middle Router Client Entry Guard Circuit Directory Server Router List High BW routers chosen most often 1. Clients choose Tor routers in proportion to their bandwidths Routers can lie! 2. Tor routers self-advertise their bandwidth capacities 2

  4. Our Contribution We observe that the bandwidth available for different applications is not uniformly distributed among exit Tor routers We extend prior work by investigating whether certain applications are more vulnerable to attack than others We hypothesize that traffic destined for ports with little bandwidth is more vulnerable to circuit compromise 3

  5. Talk Outline • Background on path selection in Tor • Experimental setup • Experimental results • Exit bandwidth is not uniformly distributed • Long-lived traffic requires “stable” routers • Toward solutions • Future work • Summary and conclusions

  6. Path Selection in Tor • Clients choose Tor routers in proportion to their bandwidth capacities • To reduce the risk of path compromise, Tor clients choose their circuits very carefully • Circuit construction rules • A router may only be used once per circuit • Only one router per /16 network and two routers per IP address • First router must be an entry guard • The exit router must allow connections to the traffic’s destination host and port Mitigates risk of choosing adversary controlled routers Mitigates the “predecessor attack” Ensures traffic can be delivered

  7. Path Selection: Exit Policies Destination Host • Tor allows exit routers to specify their own exit policies • Can be used to help router operators manage risk of abuse[Bauer et al., 2008] • Possible Tor router configurations • Non-exit: Router is not allowed to connect to any (non-Tor) Internet host • Exit: May connect to designated port numbers (and hosts) on the Internet Exit Router Client Entry Guard Middle Router

  8. Path Selection: Stable Paths • Applications with persistent sessions (SSH, FTP) require special routers that have been alive for a long time • Marked as Stable by the directory servers • Stable router is in the top half of all routers in terms of mean time between failures • Or alive for at least 30 days

  9. Experimental Evaluation: Setup • We simulate Tor’s router selection algorithm to study how certain applications may be more vulnerable to circuit compromise • Fuel simulations with real Tor router data from the directory servers (May 31, 2009 snapshot) • 1,444 total routers with 403.3 MB total bandwidth • 770 “stable” routers with 326.9 MB total bandwidth • Simulation details • Generate 10,000 circuits for applications (default port): • FTP (21), SSH (22), Telnet (23), SMTP (25), HTTP (80), POP3 (110), HTTPS (443), Kazaa P2P (1214), BitTorrent tracker (6969), Gnutella P2P (6346), and eDonkey P2P (4661) • Add 6 - 106 malicious routers (10 MB/s BW) and count compromised circuits

  10. Experimental Evaluation: Results Fraction of circuits that are compromised for each application’s default exit port 6 routers (with 60 MB) make up 12% of the total bandwidth SMTP (outgoing E-mail) and peer-to-peer file sharing applications are more vulnerable to circuit compromise The number of circuits compromised increases as more malicious routers are injected into the network

  11. Exit Bandwidth Distribution is Skewed Distribution of exit bandwidth by default exit port number Fraction of circuits that are compromised for each application’s default exit port SMTP and peer-to-peer applications have fewest routers and least amount of exit bandwidth

  12. Long-Lived Traffic Needs “Stable” Routers • Applications with persistent sessions require “stable” routers • Only 770/1,444 routers are Stable • Slightly higher compromise rate than HTTP/HTTPS/Telnet/POP3 Distribution of exit bandwidth by default exit port number Fraction of circuits that are compromised for each application’s default exit port

  13. Only the Exit Router is Malicious • If only the exit router is malicious, an attacker could still learn significant identifying information • i.e., Login credentials • HTTP • 6 malicious routers: Controls exit router 33.6% of the time • 16 malicious routers: Controls exit router 56.5% of the time • FTP • 6 malicious routers: Controls exit router 46.7% of the time • 16 malicious routers: Controls exit router 70.7% of the time • This is a very real threat, since many popular websites still do not provide TLS-protected logins

  14. Toward Solutions • One solution is to give users the ability to manage their risk of attack • Prior work proposed that users tune the router selection between bandwidth-weighted and uniform router selection [Snader and Borisov, 2008] • Allows users to trade-off between strong anonymity and strong performance • However, it remains necessary to balance the traffic load over the available bandwidth • General solutions to this attack is an open problem Only 0.09% of BitTorrent tracker circuits compromised Uniform router selection: c > 1 malicious routers E > 0 is number exit routers N > 1 number total routers Compare to 18.5%

  15. Future Work: Selective DoS Attacks • Extend this work to consider selective denial-of-service attacks • Attack strategy: If an adversary does not control the endpoints of a given circuit, they disrupt the circuit, causing it to be rebuilt Fraction of circuits that are compromised for each application’s default exit port Initial results with selective denial-of-service Effects of bandwidth disparities are magnified SMTP and peer-to-peer applications show extremely high compromise rate (68-93%) with only 6 malicious routers

  16. Summary and Conclusions • We demonstrated our hypothesis that certain applications are more vulnerable than others to circuit compromise in Tor • Through a simulation study driven by data obtained from the real Tor network, we found that SMTP and peer-to-peer file sharing applications are most vulnerable • We suggest that concerned users tune the router selection bias to control the risk of path compromise Destination Host Exit Router Tor Network Middle Router Client Entry Guard Circuit Directory Server

More Related