1. 報告者 : 張逸文 D ETECTING T RAFFIC S NOOPING IN T OR U SING D ECOYS RAID 2011 Sanbuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis, Angilos D. Keronytis Columbia University, NY, USA

2. O UTLINE 1. Introduction 2. Background 3. System Architecture 4. Deployment Results 5. Discussion and Future work 6. Related work 7. Conclusion 2

3. I NTRODUCTION （ 1/2 ）  Anonymity and privacy-preserving systems  Tor [15],, Anonymizer Tor [15],  Operating by routing user traffic through a single or multiple proxies, often using layered encryption schemes  Absence of end-to-end encryption  Man-in-the-middle attacks  HTTPS switch to plain HTTP 3

4. I NTRODUCTION （ 2/2 ）  Using decoy traffic to detect eavesdropping in proxying architectures and in particular anonymous communication systems  Other uses of decoy traffic: unprotected wireless network [9], warn of insider threats [8]unprotected wireless networkwarn of insider threats  Multiple “bait” credentials for IMAP and SMTP servers 4

5. B ACKGROUND  Tor Anonymity Network  The most widely used low latency anonymity networksmost widely used  Users can hide their IP => Hidden servicesHidden services  How it works? How it works?  Threat Model  Malicious exit nodes  Extracting credentials, eavesdropping private information  Intercept the traffic of SSL connections Intercept the traffic of SSL connections 5

6. S YSTEM A RCHITECTURE （ 1/6 ）  Approach  Network eavesdropping is a passive operation without observable effects  Credentials without application-layer encryption can be used by the eavesdropper => observable  We entice a prospective snooper to use intercepted decoy credentials for accessing a service under control 6

7. S YSTEM A RCHITECTURE （ 2/6 ） 7

8. S YSTEM A RCHITECTURE （ 3/6 ）  Implementation  Choosing a set of services that  are supported by a large number of Tor exit nodes ‚ support unencrypted authentication by a clear-text protocol  The number of Tor exit nodes that allowed the relaying of traffic through various TCP port numbers The number of Tor exit nodes that allowed the relaying of traffic through various TCP port numbers  IMAP(port 143) and SMTP (port 587) protocols 8

9. S YSTEM A RCHITECTURE （ 4/6 ） 9

10. S YSTEM A RCHITECTURE （ 5/6 ）  Decoy Traffic Transmission and Eavesdropping Detection  Client ： implemented using Perl and service protocol emulation is provided by Net : : IMAPClient and Net : : SMTP modules  Client is hosted on Ubuntu Server Linux v8.04  The client creates one connection to each decoy server every day through each Tor exit node (supported)  An exit node ties with a set of credentials for each decoy service 10

11. S YSTEM A RCHITECTURE （ 6/6 ）  Decoy services ： Courier IMAP v4.6.0 & Postfix v2.7.0  Illegitimate connections are identified by logs recorded at client and server  Important implementation considerations  Time synchronization => Network Time Protocol  Amount and Quality of Decoy Traffic  The believability of the decoy traffic [9][9]  Eavesdropping Incident Verification 11

12. D EPLOYMENT R ESULTS  August,2010 ~ May,2011  Ten traffic interception incidents all received by decoy IMAP server  Table 1. Table 1  Available bandwidth of the malicious exit nodes Available bandwidth of the malicious exit nodes  Locations of the Tor exit nodes involved in the observed incidents Locations of the Tor exit nodes involved in the observed incidents  Geo-IP tool Geo-IP tool 12

13. D ISCUSSION AND F UTURE WORK （ 1/4 ）  Detection confidence  The ease of installing and operating a Tor exit node  The host system may lack of software patches / have poor security  Connecting back to the decoy server from the same exit node  Future work Using multiple replicas of the decoy servers scattered in different networks and associate different sets of credentials 13

14. D ISCUSSION AND F UTURE WORK （ 2/4 ）  Decoy Traffic Credibility  Increasing the number and diversity of the innocuous email messages in SMTP traffic  Containing bait documents that would ping back to our system  Capturing network traces of protocol interactions using various real IMAP clients and servers 14

15. D ISCUSSION AND F UTURE WORK （ 3/4 ）  Detection of HTTP Session Hijacking  Some sites switch back to HTTP after the user has logged in  Users are ignorant about HTTPS  Attackers can steal the session cookie in the HTTP requests of authenticated users  Future work detecting HTTP session hijacking attacks by the use of decoy accounts 15

16. D ISCUSSION AND F UTURE WORK （ 4/4 ）  Traffic Eavesdropping and Anonymity Degradation  Reducing anonymity set  Eavesdropping Detection as a Network Service  Honeynet-based system  Used as an eavesdrop detection system 16

17. R ELATED WORK （ 1/2 ）  Clifford Stoll  The Cuckoo’s Egg ： trapping an intruder that broke into the systems of the Lawrence Berkeley National Laboratory  Honeypots have been extensively used for modeling, logging and analyzing attacks  Honeytokens  pieces of information. After the adversary release it, any subsequent use of if can clearly indicate unauthorized access 17

18. R ELATED WORK （ 2/2 ）  Bowen et al.  WiFi traffic as a basis for the generation of decoy traffic with realistic network interactions  McCoy et al. McCoy et al.  taking advantage of the IP address resolution functionality of network traffic capturing tools  The functionality may disabled by the eavesdropper 18

19. CONCLUSION  Applying decoy user credentials for the detection of traffic interception in anonymity network  Detected ten cases in which decoy credentials were used by a third-party to log in to servers under our control  How the proposed method can be extended for the detection of HTTP session hijacking attacks 19

20. Thanks & 金盾加油 !! 20

21. 21

22. 22