Traffic Analysis Attacks and Defenses in Low Latency Anonymous Communication

The recent public disclosure of mass surveillance of electronic communication, involving powerful government authorities, has drawn the public's attention to issues regarding Internet privacy. For almost a decade now, there have been several research efforts towards designing and deploying open source, trustworthy and reliable systems that ensure users' anonymity and privacy. These systems operate by hiding the true network identity of communicating parties against eavesdropping adversaries. Tor, acronym for The Onion Router, is an example of such a system. Such systems relay the traffic of their users through an overlay of nodes that are called Onion Routers and are operated by volunteers distributed across the globe. Such systems have served well as anti-censorship and anti-surveillance tools. However, recent publications have disclosed that powerful government organizations are seeking means to de-anonymize such systems and have deployed distributed monitoring infrastructure to aid their efforts. Attacks against anonymous communication systems, like Tor, often involve trac analysis. In such attacks, an adversary, capable of observing network traffic statistics in several different networks, correlates the trac patterns in these networks, and associates otherwise seemingly unrelated network connections. The process can lead an adversary to the source of an anonymous connection. However, due to their design, consisting of globally distributed relays, the users of anonymity networks like Tor, can route their traffic virtually via any network; hiding their tracks and true identities from their communication peers and eavesdropping adversaries. De-anonymization of a random anonymous connection is hard, as the adversary is required to correlate traffic patterns in one network link to those in virtually all other networks. Past research mostly involved reducing the complexity of this process by rst reducing the set of relays or network routers to monitor, and then identifying the actual source of anonymous traffic among network connections that are routed via this reduced set of relays or network routers to monitor. A study of various research efforts in this field reveals that there have been many more efforts to reduce the set of relays or routers to be searched than to explore methods for actually identifying an anonymous user amidst the network connections using these routers and relays. Few have tried to comprehensively study a complete attack, that involves reducing the set of relays and routers to monitor and identifying the source of an anonymous connection. Although it is believed that systems like Tor are trivially vulnerable to traffic analysis, there are various technical challenges and issues that can become obstacles to accurately identifying the source of anonymous connection. It is hard to adjudge the vulnerability of anonymous communication systems without adequately exploring the issues involved in identifying the source of anonymous traffic. We take steps to ll this gap by exploring two novel active trac analysis attacks, that solely rely on measurements of network statistics. In these attacks, the adversary tries to identify the source of an anonymous connection arriving to a server from an exit node. This generally involves correlating traffic entering and leaving the Tor network, linking otherwise unrelated connections. To increase the accuracy of identifying the victim connection among several connections, the adversary injects a traffic perturbation pattern into a connection arriving to the server from a Tor node, that the adversary wants to de-anonymize. One way to achieve this is by colluding with the server and injecting a traffic perturbation pattern using common traffic shaping tools. Our first attack involves a novel remote bandwidth estimation technique to conrm the identity of Tor relays and network routers along the path connecting a Tor client and a server by observing network bandwidth fluctuations deliberately injected by the server. The second attack involves correlating network statistics, for connections entering and leaving the Tor network, available from existing network infrastructure, such as Cisco's NetFlow, for identifying the source of an anonymous connection. Additionally, we explored a novel technique to defend against the latter attack. Most research towards defending against traffic analysis attacks, involving transmission of dummy traffic, have not been implemented due to fears of potential performance degradation. Our novel technique involves transmission of dummy traffic, consisting of packets with IP headers having small Time-to-Live (TTL) values. Such packets are discarded by the routers before they reach their destination. They distort NetFlow statistics, without degrading the client's performance. Finally, we present a strategy that employs transmission of unique plain-text decoy traffic, that appears sensitive, such as fake user credentials, through Tor nodes to decoy servers under our control. Periodic tallying of client and server logs to determine unsolicited connection attempts at the server is used to identify the eavesdropping nodes. Such malicious Tor node operators, eavesdropping on users' traffic, could be potential traffic analysis attackers

LinkWidth: A Method to measure Link Capacity and Available Bandwidth Using Single-End Probes

We introduce LinkWidth, a method for estimating capacity and available bandwidth using single-end controlled TCP packet probes. To estimate capacity, we generate a train of TCP RST packets "sandwiched" between two TCP SYN packets. Capacity is obtained by end-to-end packet dispersion of the received TCP RST/ACK packets corresponding to the TCP SYN packets. Our technique is significantly different from the rest of the packet-pair-based measurement techniques, such as CapProbe, pathchar and pathrate, because the long packet trains minimize errors due to bursty cross-traffic. TCP RST packets do not generate additional ICMP replies preventing cross-traffic interference with our probes. In addition, we use TCP packets for all our probes to prevent some types of QoS-related traffic shaping from affecting our measurements. We extend the Train of Packet Pairs technique to approximate the available link capacity. We use pairs of TCP packets with variable intra-pair delays and sizes. This is the first attempt to implement this technique using single-end TCP probes, tested on a wide range of real networks with variable cross-traffic. We compare our prototype with pathchirp and pathload, which require control of both ends, and demonstrate that in most cases our method gives approximately the same results

Approximating a Global Passive Adversary Against Tor

We present a novel, practical, and effective mechanism for identifying the IP address of Tor clients. We approximate an almost-global passive adversary (GPA) capable of eavesdropping anywhere in the network by using LinkWidth, a novel bandwidth-estimation technique. LinkWidth allows network edge-attached entities to estimate the available bandwidth in an arbitrary Internet link without a cooperating peer host, router, or ISP. By modulating the bandwidth of an anonymous connection (e.g., when the destination server or its router is under our control), we can observe these fluctuations as they propagate through the Tor network and the Internet to the end-user's IP address. Our technique exploits one of the design criteria for Tor (trading off GPA-resistance for improved latency/bandwidth over MIXes) by allowing well-provisioned (in terms of bandwidth) adversaries to effectively become GPAs. Although timing-based attacks have been demonstrated against non-timing-preserving anonymity networks, they have depended either on a global passive adversary or on the compromise of a substantial number of Tor nodes. Our technique does not require compromise of any Tor nodes or collaboration of the end-server (for some scenarios). We demonstrate the effectiveness of our approach in tracking the IP address of Tor users in a series of experiments. Even for an underprovisioned adversary with only two network vantage points, we can identify the end user (IP address) in many cases

LinkWidth: A Method to Measure Link Capacity and Available Bandwidth using Single-End Probes

We introduce LinkWidth, a method for estimating capacity and available bandwidth using single-end controlled TCP packet probes. To estimate capacity, we generate a train of TCP RST packets "sandwiched" between trains of TCP SYN packets. Capacity is computed from the end-to-end packet dispersion of the received TCP RST/ACK packets corresponding to the TCP SYN packets going to closed ports. Our technique is significantly different from the rest of the packet-pair based measurement techniques, such as CapProbe, pathchar and pathrate, because the long packet trains minimize errors due to bursty cross-traffic. Additionally, TCP RST packets do not generate additional ICMP replies, thus avoiding cross-traffic due to such packets from interfering with our probes. In addition, we use TCP packets for all our probes to prevent QoS-related traffic shaping (based on packet types) from affecting our measurements (eg. CISCO routers by default are known have to very high latency while generating to ICMP TTL expired replies). We extend the {\it Train of Packet Pairs technique to approximate the available link capacity. We use a train of TCP packet pairs with variable intra-pair delays and sizes. This is the first attempt to implement this technique using single-end TCP probes, tested on a range of networks with different bottleneck capacities and cross traffic rates. The method we use for measuring from a single point of control uses TCP RST packets between a train of TCP SYN packets. The idea is quite similar to the technique for measuring the bottleneck capacity. We compare our prototype with pathchirp, pathload, IPERF, which require control of both ends as well as another single end controlled technique abget, and demonstrate that in most cases our method gives approximately the same results if not better

Few Throats to Choke: On the Current Structure of the Internet

The original design of the Internet was as a resilient, distributed system, able to route around (and therefore recover from) massive disruption - up to and including nuclear war. However, network effects and business decisions (e.g. the pur- chase of GlobalCrossing by Level-3) have led to centralization of routing power. This is not merely an academic issue; it has practical implications, such as whether the citizens of a country may be subject to censorship by an “upstream” ISP in some other country, that controls its entire access to the Internet. In this paper, we examine the extent of routing centralization in the Internet; identify the major players who control the “Internet backbone”; and point out how many these are, in fact, under the jurisdiction of censorious countries. We also measure the collateral damage caused by censorship, particularly by the two largest Internet-using nations, China and India

Detecting Traffic Snooping in Anonymity Networks Using Decoys

Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of six months, our system detected eight cases of traffic interception that involved eight different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks

Mending Wall: On the Implementation of Censorship in India

This paper presents a study of the Internet infrastructure in India from the point of view of censorship. First, we show that the current state of affairs — where each ISP implements its own content filters (nominally as per a governmental blacklist) — results in dramatic differences in the censorship experienced by customers. In practice, a well-informed Indian citizen can escape censorship through a judicious choice of service provider. We then consider the question of whether India might potentially follow the Chinese model and institute a single, government-controlled filter. This would not be difficult, as the Indian Internet is quite centralized already. A few “key” ASes (≈ 1% of Indian ASes) collectively intercept ≈ 95% of paths to the censored sites we sample in our study, and also to all publicly-visible DNS servers. 5, 000 routers spanning these key ASes would suffice to carry out IP or DNS filtering for the entire country; ≈ 70% of these routers belong to only two private ISPs. If the government is willing to employ more powerful measures, such as an IP Prefix Hijacking attack, any one of several key ASes can censor traffic for nearly all Indian users. Finally, we demonstrate that such federated censorship by India would cause substantial collateral damage to non-Indian ASes whose traffic passes through Indian cyberspace (which do not legally come under Indian jurisdiction at all)