Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Slides:

Advertisements

Similar presentations

Introduction 2 1: Introduction.

Advertisements

Tor: The Second-Generation Onion Router

LASTor: A Low-Latency AS-Aware Tor Client

PIR-Tor: Scalable Anonymous Communication Using Private Information Retrieval Prateek Mittal University of Illinois Urbana-Champaign Joint work with: Femi.

TAP: A Novel Tunneling Approach for Anonymity in Structured P2P Systems Yingwu Zhu and Yiming Hu University of Cincinnati.

Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.

Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

ExperimenTor: A Testbed for Safe and Realistic Tor Experimentation Kevin Bauer 1 Micah Sherr 2 Damon McCoy 3 Dirk Grunwald 4 1 University of Waterloo 2.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

1 Denial-of-Service Resilience in P2P File Sharing Systems Dan Dumitriu (EPFL) Ed Knightly (Rice) Aleksandar Kuzmanovic (Northwestern) Ion Stoica (Berkeley)

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Wide-area cooperative storage with CFS

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Towards an Analysis of Onion Routing Security Syverson, Tsudik, Reed, and Landwehr PET 2000 Presented by: Adam Lee 1/26/2006 Syverson, Tsudik, Reed, and.

Preventing Active Timing Attacks in Low- Latency Anonymous Communication The 10 th Privacy Enhancing Technologies Symposium July 2010 Joan Feigenbaum Yale.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

The Current Landscape of P2P File Sharing: Challenges and Future Directions Kevin Bauer Ph.D. candidate University of Colorado.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Interior Gateway Routing Protocol (IGRP) is a distance vector interior routing protocol (IGP) invented by Cisco. It is used by routers to exchange routing.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

CISCO NETWORKING ACADEMY Chabot College ELEC Application Layer Puzzles.

Privacy in P2P based Data Sharing Muhammad Nazmus Sakib CSCE 824 April 17, 2013.

Developing Analytical Framework to Measure Robustness of Peer-to-Peer Networks Niloy Ganguly.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.

Honeypot and Intrusion Detection System

1 BitHoc: BitTorrent for wireless ad hoc networks Jointly with: Chadi Barakat Jayeoung Choi Anwar Al Hamra Thierry Turletti EPI PLANETE 28/02/2008 MAESTRO/PLANETE.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

報告者 : 張逸文 D ETECTING T RAFFIC S NOOPING IN T OR U SING D ECOYS RAID 2011 Sanbuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis, Angilos.

An Efficient Approach for Content Delivery in Overlay Networks Mohammad Malli Chadi Barakat, Walid Dabbous Planete Project To appear in proceedings of.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Sharing Information across Congestion Windows CSE222A Project Presentation March 15, 2005 Apurva Sharma.

Zhen Ling Southeast University Extensive Analysis and Large-Scale Empirical Evaluation of Tor Bridge Discovery In collaboration with Junzhou Luo, Southeast.

Network Security Lecture 20 Presented by: Dr. Munam Ali Shah.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Guard Sets for Onion Routing JOSHUA FREE. Tor Most popular low-latency distributed anonymity network Controversial decisions of guard selection strategies.

Measuring and Mitigating AS-level Adversaries Against Tor

Protocols Monil Adhikari. Agenda Introduction Port Numbers Non Secure Protocols FTP HTTP Telnet POP3, SMTP Secure Protocols HTTPS.

Traffic Correlation in Tor Source and Destination Prediction PETER BYERLEY RINDAL SULTAN ALANAZI HAFED ALGHAMDI.

VIRTUAL SERVERS Chapter 7. 2 OVERVIEW Exchange Server 2003 virtual servers Virtual servers in a clustering environment Creating additional virtual servers.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Application Layer instructors at St. Clair College in Windsor, Ontario for their slides. Special thanks to instructors at St. Clair College in Windsor,

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

Aaron Johnson Rob Jansen Aaron D. Jaggard Joan Feigenbaum

PeerFlow: Secure Load Balancing in Tor Aaron Johnson1 Rob Jansen1 Aaron Segal2 Nicholas Hopper3 Paul Syverson1 1U.S. Naval Research Laboratory 2Yale.

An example of peer-to-peer application

NET 536 Network Security Firewalls and VPN

CS590B/690B Detecting Network Interference (Fall 2016)

Hybrid Cloud Architecture for Software-as-a-Service Provider to Achieve Higher Privacy and Decrease Securiity Concerns about Cloud Computing P. Reinhold.

Securing the Network Perimeter with ISA 2004

Mohammad Malli Chadi Barakat, Walid Dabbous Alcatel meeting

Introduction to Networking

Re3 : Relay Reliability Reputation for Anonymity Systems

Anupam Das , Nikita Borisov

Anupam Das , Nikita Borisov

دیواره ی آتش.

CS590B/690B Detecting network interference (Spring 2018)

Protocol Application TCP/IP Layer Model

Computer Networks Protocols

Rob Jansen, U.S. Naval Research Laboratory

Presentation transcript:

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client Destination Host Entry Guard Middle Router Exit Router Directory Server Circuit Tor Network

Tor: Anonymity for TCP Applications 1 Client Destination Host Entry Guard Middle Router Exit Router Directory Server Circuit Router List Tor provides anonymity for TCP by tunneling traffic through a virtual circuit of three Tor routers using layered encryption 1 First hop knows the client Last hop knows the destination Tor Network Colluding entry and exit routers can use simple timing analysis to de-anonymize the client and destination [Serjantov et al., 2003; Levine et al., 2004]

Prior Attacks Against Tor 2 Client Destination Host Entry Guard Middle Router Exit Router Directory Server Circuit Router List Prior work showed that the likelihood of circuit compromise in Tor is relatively high [Bauer et al., 2007] 2 First hop knows the client Last hop knows the destination Tor Network 1. Clients choose Tor routers in proportion to their bandwidths 2. Tor routers self-advertise their bandwidth capacities High BW routers chosen most often Routers can lie!

33 We extend prior work by investigating whether certain applications are more vulnerable to attack than others We hypothesize that traffic destined for ports with little bandwidth is more vulnerable to circuit compromise Our Contribution We observe that the bandwidth available for different applications is not uniformly distributed among exit Tor routers

Talk Outline Background on path selection in Tor Experimental setup Experimental results – Exit bandwidth is not uniformly distributed – Long-lived traffic requires “stable” routers Toward solutions Future work Summary and conclusions 4

Path Selection in Tor Clients choose Tor routers in proportion to their bandwidth capacities To reduce the risk of path compromise, Tor clients choose their circuits very carefully Circuit construction rules A router may only be used once per circuit Only one router per /16 network and two routers per IP address First router must be an entry guard The exit router must allow connections to the traffic’s destination host and port 5 Mitigates risk of choosing adversary controlled routers Mitigates the “predecessor attack” Ensures traffic can be delivered

Path Selection: Exit Policies Tor allows exit routers to specify their own exit policies Can be used to help router operators manage risk of abuse [Bauer et al., 2008] Possible Tor router configurations – Non-exit: Router is not allowed to connect to any (non-Tor) Internet host – Exit: May connect to designated port numbers (and hosts) on the Internet 6 Client Destination Host Entry Guard Exit Router Middle Router

Applications with persistent sessions (SSH, FTP) require special routers that have been alive for a long time Marked as Stable by the directory servers – Stable router is in the top half of all routers in terms of mean time between failures – Or alive for at least 30 days Path Selection: Stable Paths 7

Experimental Evaluation: Setup We simulate Tor’s router selection algorithm to study how certain applications may be more vulnerable to circuit compromise Fuel simulations with real Tor router data from the directory servers (May 31, 2009 snapshot) – 1,444 total routers with MB total bandwidth – 770 “stable” routers with MB total bandwidth Simulation details – Generate 10,000 circuits for applications (default port): FTP (21), SSH (22), Telnet (23), SMTP (25), HTTP (80), POP3 (110), HTTPS (443), Kazaa P2P (1214), BitTorrent tracker (6969), Gnutella P2P (6346), and eDonkey P2P (4661) – Add malicious routers (10 MB/s BW) and count compromised circuits 8

Experimental Evaluation: Results 9 SMTP (outgoing ) and peer-to-peer file sharing applications are more vulnerable to circuit compromise 6 routers (with 60 MB) make up 12% of the total bandwidth The number of circuits compromised increases as more malicious routers are injected into the network Fraction of circuits that are compromised for each application’s default exit port

Exit Bandwidth Distribution is Skewed 10 SMTP and peer-to-peer applications have fewest routers and least amount of exit bandwidth Distribution of exit bandwidth by default exit port number Fraction of circuits that are compromised for each application’s default exit port

Long-Lived Traffic Needs “Stable” Routers Applications with persistent sessions require “stable” routers Only 770/1,444 routers are Stable Slightly higher compromise rate than HTTP/HTTPS/Telnet/POP3 11 Distribution of exit bandwidth by default exit port number Fraction of circuits that are compromised for each application’s default exit port

Only the Exit Router is Malicious If only the exit router is malicious, an attacker could still learn significant identifying information – i.e., Login credentials HTTP – 6 malicious routers: Controls exit router 33.6% of the time – 16 malicious routers: Controls exit router 56.5% of the time FTP – 6 malicious routers: Controls exit router 46.7% of the time – 16 malicious routers: Controls exit router 70.7% of the time This is a very real threat, since many popular websites still do not provide TLS-protected logins 12

Toward Solutions One solution is to give users the ability to manage their risk of attack Prior work proposed that users tune the router selection between bandwidth-weighted and uniform router selection [Snader and Borisov, 2008] – Allows users to trade-off between strong anonymity and strong performance However, it remains necessary to balance the traffic load over the available bandwidth General solutions to this attack is an open problem 13 Uniform router selection: c > 1 malicious routers E > 0 is number exit routers N > 1 number total routers Only 0.09% of BitTorrent tracker circuits compromised Compare to 18.5%

Future Work: Selective DoS Attacks Extend this work to consider selective denial-of-service attacks – Attack strategy: If an adversary does not control the endpoints of a given circuit, they disrupt the circuit, causing it to be rebuilt 14 Fraction of circuits that are compromised for each application’s default exit port Initial results with selective denial-of-service Effects of bandwidth disparities are magnified SMTP and peer-to-peer applications show extremely high compromise rate (68-93%) with only 6 malicious routers

Summary and Conclusions We demonstrated our hypothesis that certain applications are more vulnerable than others to circuit compromise in Tor Through a simulation study driven by data obtained from the real Tor network, we found that SMTP and peer-to-peer file sharing applications are most vulnerable We suggest that concerned users tune the router selection bias to control the risk of path compromise 15 Client Destination Host Entry Guard Middle Router Exit Router Directory Server Circuit Tor Network