9 research outputs found
De-anonymizing BitTorrent Users on Tor
Some BitTorrent users are running BitTorrent on top of Tor to preserve their
privacy. In this extended abstract, we discuss three different attacks to
reveal the IP address of BitTorrent users on top of Tor. In addition, we
exploit the multiplexing of streams from different applications into the same
circuit to link non-BitTorrent applications to revealed IP addresses.Comment: Poster accepted at the 7th USENIX Symposium on Network Design and
Implementation (NSDI '10), San Jose, CA : United States (2010
Compromising Tor Anonymity Exploiting P2P Information Leakage
Privacy of users in P2P networks goes far beyond their current usage and is a
fundamental requirement to the adoption of P2P protocols for legal usage. In a
climate of cold war between these users and anti-piracy groups, more and more
users are moving to anonymizing networks in an attempt to hide their identity.
However, when not designed to protect users information, a P2P protocol would
leak information that may compromise the identity of its users. In this paper,
we first present three attacks targeting BitTorrent users on top of Tor that
reveal their real IP addresses. In a second step, we analyze the Tor usage by
BitTorrent users and compare it to its usage outside of Tor. Finally, we depict
the risks induced by this de-anonymization and show that users' privacy
violation goes beyond BitTorrent traffic and contaminates other protocols such
as HTTP
One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users
Tor is a popular low-latency anonymity network. However, Tor does not protect
against the exploitation of an insecure application to reveal the IP address
of, or trace, a TCP stream. In addition, because of the linkability of Tor
streams sent together over a single circuit, tracing one stream sent over a
circuit traces them all. Surprisingly, it is unknown whether this linkability
allows in practice to trace a significant number of streams originating from
secure (i.e., proxied) applications. In this paper, we show that linkability
allows us to trace 193% of additional streams, including 27% of HTTP streams
possibly originating from "secure" browsers. In particular, we traced 9% of Tor
streams carried by our instrumented exit nodes. Using BitTorrent as the
insecure application, we design two attacks tracing BitTorrent users on Tor. We
run these attacks in the wild for 23 days and reveal 10,000 IP addresses of Tor
users. Using these IP addresses, we then profile not only the BitTorrent
downloads but also the websites visited per country of origin of Tor users. We
show that BitTorrent users on Tor are over-represented in some countries as
compared to BitTorrent users outside of Tor. By analyzing the type of content
downloaded, we then explain the observed behaviors by the higher concentration
of pornographic content downloaded at the scale of a country. Finally, we
present results suggesting the existence of an underground BitTorrent ecosystem
on Tor
How Unique and Traceable are Usernames?
Suppose you find the same username on different online services, what is the
probability that these usernames refer to the same physical person? This work
addresses what appears to be a fairly simple question, which has many
implications for anonymity and privacy on the Internet. One possible way of
estimating this probability would be to look at the public information
associated to the two accounts and try to match them. However, for most
services, these information are chosen by the users themselves and are often
very heterogeneous, possibly false and difficult to collect. Furthermore,
several websites do not disclose any additional public information about users
apart from their usernames (e.g., discus- sion forums or Blog comments),
nonetheless, they might contain sensitive information about users. This paper
explores the possibility of linking users profiles only by looking at their
usernames. The intuition is that the probability that two usernames refer to
the same physical person strongly depends on the "entropy" of the username
string itself. Our experiments, based on crawls of real web services, show that
a significant portion of the users' profiles can be linked using their
usernames. To the best of our knowledge, this is the first time that usernames
are considered as a source of information when profiling users on the Internet
Digging into anonymous traffic: A deep analysis of the tor anonymizing network
Abstract—Users ’ anonymity and privacy are among the major concerns of today’s Internet. Anonymizing networks are then poised to become an important service to support anonymousdriven Internet communications and consequently enhance users’ privacy protection. Indeed, Tor an example of anonymizing networks based on onion routing concept attracts more and more volunteers, and is now popular among dozens of thousands of Internet users. Surprisingly, very few researches shed light on such an anonymizing network. Beyond providing global statistics on the typical usage of Tor in the wild, we show that Tor is actually being mis-used, as most of the observed traffic belongs to P2P applications. In particular, we quantify the BitTorrent traffic and show that the load of the latter on the Tor network is underestimated because of encrypted BitTorrent traffic (that can go unnoticed). Furthermore, this paper provides a deep analysis of both the HTTP and BitTorrent protocols giving a complete overview of their usage. We do not only report such usage in terms of traffic size and number of connections but also depict how users behave on top of Tor. We also show that Tor usage is now diverted from the onion routing concept and that Tor exit nodes are frequently used as 1-hop SOCKS proxies, through a so-called tunneling technique. We provide an efficient method allowing an exit node to detect such an abnormal usage. Finally, we report our experience in effectively crawling bridge nodes, supposedly revealed sparingly in Tor. I
Geolocalization of Proxied Services and its Application to Fast-Flux Hidden Servers
Fast-flux is a redirection technique used by cyber-criminals to hide the actual location of malicious servers. Its purpose is to evade identification and prevent or, at least delay, the shutdown of these illegal servers by law enforcement. This paper proposes a framework to geolocalize fast-flux servers, that is, to determine the physical location of the fast-flux networks roots (mothership servers) based on network measurements. We performed an extensive set of measurements on PlanetLab in order to validate and evaluate the performance of our method in a controlled environment. These experimentations showed that, with our framework, fast-flux servers can be localized with similar mean distance errors than non-hidden servers, i.e. approximately 100 km. In the light of these very promising results, we also applied our scheme to several active fast-flux servers and estimated their geographic locations, providing then statistics on the locations of “in the wild ” fast-flux services