Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter
Outline 1 The Problem 2 DarkNets (TOR & I2P) 3 BitTorrent Protocol 4 BitTorrent over I2P Volnurability 5 Setting up the lab 6 Results
Outline 1 The Problem 2 DarkNets (TOR & I2P) BitTorrent Protocol BitTorrent over I2P Volnurability Setting up the lab Results
The problem Since the first designs of the World Wide Web, it was never supposed to support anonymity of users or servers. Today, users and servers find the need to hide their identity in order to give or receive services. A known example is giving true information to people in totalitarian nations. To help users and servers hide their identity, new methods were developed like TOR and I2P. TOR and I2P are Darknets that can create anonymity for users and servers, but of course, there are holes that make them vulnerable.
Outline 2 DarkNets (TOR & I2P) 1 The Problem BitTorrent Protocol BitTorrent over I2P Volnurability Setting up the lab Results
TOR TOR is a Darknet network that uses nodes (computers that are registered in the TOR network) to create its anonymity. When Alice (a user) wants to connect to Bob’s server, she create a random and encrypted path (of 3 nodes) while using a DH keys. The connection to Bob’s server is via the “exit” node (the third node in the path) and this connection is the only connection that is not encrypted. Alice can now communicate with Bob via 3 nodes and Bob will not be able to find Alice’s Identity.
TOR (Cont.) TOR attacks: – Browser-Based Attacks on Tor – A New Replay Attack Against Anonymous Communication Networks – Compromising Tor Anonymity Exploiting P2P Information Leakage Our goal is to find a way to use TOR’s vulnerabilities to I2P’s Darknet.
I2P I2P supplying the anonymity through the application layer. Servers in the darknet of I2P are called eepsites. A user that wishes to get a service from an eepsite, needs to know the eepsite’s name and it can be obtained from the web easily enough. Easily enough means going to a fixed URL and fetching “routerinfo” files. Once Alice (a user) gets the eepsite’s information, a tunnel from her to the eepsite is created automatically once she tries connecting to it. NOTE: Both sides need to install I2P service.
I2P (Cont.) Once the tunnel is up, Alice will communicate with the eepsite via proxies that the I2P configured or she configured manually. The methodology of the darknet itself (through whom and how Alice is actually connecting to the eepsite) is less important for our goal and therefore will not be explained here.
Outline 3 BitTorrent Protocol 2 DarkNets (TOR & I2P) The Problem BitTorrent over I2P Volnurability Setting up the lab Results
The Torrent World The torrent world consist of two elements: – A BitTorrent Client: Each user that wants to download or upload a file - needs a client. – A BitTorrent Tracker: The tracker is a server that holds all the peers of a torrent in a DHT (Distributing Hash Table). BitTorrent is a peer-to-peer application client that users use to download/upload files from each other. When a user wants to download a file, his BitTorrent client asks for the list of peers from the Tracker. The peers that are sent are the peers that registered for that torrent in the tracker.
Outline 4 BitTorrent over I2P Volnurability 2 DarkNets (TOR & I2P) BitTorrent Protocol The Problem Setting up the lab Results
BitTorrent Encryption? The BitTorrent protocol supports encryption by it’s own, it’s not used by most clients and not tested thoroughly. I2P allows a client to download/upload files from/to peers via the I2P darknet. Too good to be true? Because it is. Downloading via the I2P darknet is extremely slow (4KB/s instead of 1.5MB/s) so most users don’t use this feature. THIS IS WHERE WE COME IN…
Most Users Encryption Style Most users that use I2P, use it only for connecting to the tracker and asking for a peers list. Once a client received the peers list, it connects to each peer in a NON-ENCRYPTED fashion. We need to find a way to map the peers list’s request (via I2P) from the tracker to the connection of the sent peer (Real IP).
BitTorrent Protocol Encrypted via I2P Connection not Encrypted
Work plan Our plan is to set up a tracker, proxy server and an optional peer to host the data. Controlling them is simply enough and will help us map those I2P hosts that tried to download the file we have set up. The peer that hosts the data is optional because the mapping can be done without it. However, having it and letting others download from it is a proof of download.
Work plan (Cont.) Alice asks for a peers list from the tracker (using I2P) The tracker sends the proxy’s IP and some port To Alice’s I2P address Alice tries to connect to the proxy IP at the given port from her REAL IP The proxy identifies Alice’s REAL IP while she’s trying to connect to the given port The proxy passes the message to bob (as a real proxy) End of session - Alice’s REAL IP is found The anonymous host (via I2P) that asked the tracker for the peers list and got the proxy’s ip and port X, is the REAL IP that tried to connect to the proxy at port X.
Alice tracker.i2p Bob Proxy Server Proxy’s IP, Port X Connecting to Port X Forwarding to Bob in order for Alice to download the file (proof) Let the proxy listen to ports Each time the tracker gets a request for the peers list, it picks a port that wasn’t used for some time and send it (along with the proxy’s IP) We can use multiple proxies if there are too many peers list requests. Alice’s REAL IP is found when she’s connecting via an unencrypted fashion to the proxy at the given port Work plan (Cont.) Encrypted via I2P Not Encrypted (Optional)
Outline 5 Setting up the lab 2 DarkNets (TOR & I2P) BitTorrent Protocol BitTorrent over I2P Volnurability The Problem Results
Tracker We found an open source Tracker (called MonoTorrent) We’ve added a feature so it will receive I2P connections (from IP Address ).
Tracker
Tracker (Cont.) We programmed the tracker to send any IP and port of our liking to a peers list request – We use this so it will send the proxy’s data is the proxy’s IP Address is the designated port.
When a client wants to use a service via I2P, it connects to it via a proxy – IP: , Port: This is the I2P proxy installed on the local machine, waiting for connections. When connecting through the I2P proxy, all hosts must be of I2P’s nature (***.i2p). The translation is done by a global directory service (The routerinfo files we talked about earlier).
In case you missed the checkboxes, have a look again: Most users use the proxy (I2P encryption/anonymity) for hostname lookups ONLY and NOT for the connection themselves.
Downloading the file – “Talking” to the tracker via I2P and the seeder via Non-Encrypted way.
Back To The Tracker Alice is downloading now – The Tracker sent the peers list of our demand. UT3200… is Alice’s client Peer-ID.
Victory – Alice’s IP found
Outline 6 Results 2 DarkNets (TOR & I2P) BitTorrent Protocol BitTorrent over I2P Volnurability Setting up the lab The Problem
Results Alice’s Real IP is found. Port maximum range is 65,535. There is no problem, because we can use 100 proxies, each of them will use 30,000 ports. That gives us 3,000,000 clients at peek time while all ports are in use. The clients have no idea that their real IP is hacked.
Further Reading Articles: – One Bad Apple Spoils The Bunch One Bad Apple Spoils The Bunch – Compromising Tor Anonymity Exploiting P2P Information Leakage Compromising Tor Anonymity Exploiting P2P Information Leakage Projects: – MonoTorrent project MonoTorrent project Standards (RFC): – BitTorrent Protocol -- BTP/1.0 RFC BitTorrent Protocol -- BTP/1.0 RFC – BitTorrent Specification BitTorrent Specification