Defending Tor from Network Adversaries: A Case Study of Network Path Prediction

The Tor anonymity network has been shown vulnerable to traffic analysis attacks by autonomous systems and Internet exchanges, which can observe different overlay hops belonging to the same circuit. We aim to determine whether network path prediction techniques provide an accurate picture of the threat from such adversaries, and whether they can be used to avoid this threat. We perform a measurement study by running traceroutes from Tor relays to destinations around the Internet. We use the data to evaluate the accuracy of the autonomous systems and Internet exchanges that are predicted to appear on the path using state-of-the-art path inference techniques; we also consider the impact that prediction errors have on Tor security, and whether it is possible to produce a useful overestimate that does not miss important threats. Finally, we evaluate the possibility of using these predictions to actively avoid AS and IX adversaries and the challenges this creates for the design of Tor

Measuring and mitigating AS-level adversaries against Tor

The popularity of Tor as an anonymity system has made it a popular target for a variety of attacks. We focus on traffic correlation attacks, which are no longer solely in the realm of academic research with recent revelations about the NSA and GCHQ actively working to implement them in practice. Our first contribution is an empirical study that allows us to gain a high fidelity snapshot of the threat of traffic correlation attacks in the wild. We find that up to 40% of all circuits created by Tor are vulnerable to attacks by traffic correlation from Autonomous System (AS)-level adversaries, 42% from colluding AS-level adversaries, and 85% from state-level adversaries. In addition, we find that in some regions (notably, China and Iran) there exist many cases where over 95% of all possible circuits are vulnerable to correlation attacks, emphasizing the need for AS-aware relay-selection. To mitigate the threat of such attacks, we build Astoria--an AS-aware Tor client. Astoria leverages recent developments in network measurement to perform path-prediction and intelligent relay selection. Astoria reduces the number of vulnerable circuits to 2% against AS-level adversaries, under 5% against colluding AS-level adversaries, and 25% against state-level adversaries. In addition, Astoria load balances across the Tor network so as to not overload any set of relays.Comment: Appearing at NDSS 201

Guard Sets for Onion Routing

“Entry” guards protect the Tor onion routing system from variants of the “predecessor” attack, that would allow an adversary with control of a fraction of routers to eventually de-anonymize some users. Research has however shown the three guard scheme has drawbacks and Dingledine et al. proposed in 2014 for each user to have a single long-term guard. We first show that such a guard selection strategy would be optimal if the Tor network was failure-free and static. However under realistic failure conditions the one guard proposal still suffers from the classic fingerprinting attacks, uniquely identifying users. Furthermore, under dynamic network conditions using single guards offer smaller anonymity sets to users of fresh guards. We propose and analyze an alternative guard selection scheme by way of grouping guards together to form shared guard sets. We compare the security and performance of guard sets with the three guard scheme and the one guard proposal. We show guard sets do provide increased resistance to a number of attacks, while foreseeing no significant degradation in performance or bandwidth utilization

ToR K-Anonymity against deep learning watermarking attacks

It is known that totalitarian regimes often perform surveillance and censorship of their communication networks. The Tor anonymity network allows users to browse the Internet anonymously to circumvent censorship filters and possible prosecution. This has made Tor an enticing target for state-level actors and cooperative state-level adversaries, with privileged access to network traffic captured at the level of Autonomous Systems(ASs) or Internet Exchange Points(IXPs). This thesis studied the attack typologies involved, with a particular focus on traffic correlation techniques for de-anonymization of Tor endpoints. Our goal was to design a test-bench environment and tool, based on recently researched deep learning techniques for traffic analysis, to evaluate the effectiveness of countermeasures provided by recent ap- proaches that try to strengthen Tor’s anonymity protection. The targeted solution is based on K-anonymity input covert channels organized as a pre-staged multipath network. The research challenge was to design a test-bench environment and tool, to launch active correlation attacks leveraging traffic flow correlation through the detection of in- duced watermarks in Tor traffic. To de-anonymize Tor connection endpoints, our tool analyses intrinsic time patterns of Tor synthetic egress traffic to detect flows with previ- ously injected time-based watermarks. With the obtained results and conclusions, we contributed to the evaluation of the security guarantees that the targeted K-anonymity solution provides as a countermeasure against de-anonymization attacks.Já foi extensamente observado que em vários países governados por regimes totalitários existe monitorização, e consequente censura, nos vários meios de comunicação utilizados. O Tor permite aos seus utilizadores navegar pela internet com garantias de privacidade e anonimato, de forma a evitar bloqueios, censura e processos legais impostos pela entidade que governa. Estas propriedades tornaram a rede Tor um alvo de ataque para vários governos e ações conjuntas de várias entidades, com acesso privilegiado a extensas zonas da rede e vários pontos de acesso à mesma. Esta tese realiza o estudo de tipologias de ataques que quebram o anonimato da rede Tor, com especial foco em técnicas de correlação de tráfegos. O nosso objetivo é realizar um ambiente de estudo e ferramenta, baseada em técnicas recentes de aprendizagem pro- funda e injeção de marcas de água, para avaliar a eficácia de contramedidas recentemente investigadas, que tentam fortalecer o anonimato da rede Tor. A contramedida que pre- tendemos avaliar é baseada na criação de multi-circuitos encobertos, recorrendo a túneis TLS de entrada, de forma a acoplar o tráfego de um grupo anonimo de K utilizadores. A solução a ser desenvolvida deve lançar um ataque de correlação de tráfegos recorrendo a técnicas ativas de indução de marcas de água. Esta ferramenta deve ser capaz de correla- cionar tráfego sintético de saída de circuitos Tor, realizando a injeção de marcas de água à entrada com o propósito de serem detetadas num segundo ponto de observação. Aplicada a um cenário real, o propósito da ferramenta está enquadrado na quebra do anonimato de serviços secretos fornecidos pela rede Tor, assim como os utilizadores dos mesmos. Os resultados esperados irão contribuir para a avaliação da solução de anonimato de K utilizadores mencionada, que é vista como contramedida para ataques de desanonimi- zação

Network Performance Improvements for Low-Latency Anonymity Networks

While advances to the Internet have enabled users to easily interact and exchange information online, they have also created several opportunities for adversaries to prey on users’ private information. Whether the motivation for data collection is commercial, where service providers sell data for marketers, or political, where a government censors, blocks and tracks its people, or even personal, for cyberstalking purposes, there is no doubt that the consequences of personal information leaks can be severe. Low-latency anonymity networks have thus emerged as a solution to allow people to surf the Internet without the fear of revealing their identities or locations. In order to provide anonymity to users, anonymity networks route users’ traffic through several intermediate relays, which causes unavoidable extra delays. However, although these networks have been originally designed to support interactive applications, due to a variety of design weaknesses, these networks offer anonymity at the expense of further intolerable performance costs, which disincentivize users from adopting these systems. In this thesis, we seek to improve the network performance of low-latency anonymity networks while maintaining the anonymity guarantees they provide to users today. As an experimentation platform, we use Tor, the most widely used privacy-preserving network that empowers people with low-latency anonymous online access. Since its introduction in 2003, Tor has successfully evolved to support hundreds of thousands of users using thousands of volunteer-operated routers run all around the world. Incidents of sudden increases in Tor’s usage, coinciding with global political events, confirm the importance of the Tor network for Internet users today. We identify four key contributors to the performance problems in low-latency anonymity networks, exemplified by Tor, that significantly impact the experience of low-latency application users. We first consider the lack of resources problem due to the resource-constrained routers, and propose multipath routing and traffic splitting to increase throughput and improve load balancing. Second, we explore the poor quality of service problem, which is exacerbated by the existence of bandwidth-consuming greedy applications in the network. We propose online traffic classification as a means of enabling quality of service for every traffic class. Next, we investigate the poor transport design problem and propose a new transport layer design for anonymous communication networks which addresses the drawbacks of previous proposals. Finally, we address the problem of the lack of congestion control by proposing an ATM-style credit-based hop-by-hop flow control algorithm which caps the queue sizes and allows all relays to react to congestion in the network. Our experimental results confirm the significant performance benefits that can be obtained using our privacy-preserving approaches