Tor Users Routed Slides

Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries
Aaron Johnson1 Chris Wacek2 Rob Jansen1 Micah Sherr2 Paul Syverson1
1 U.S.
Naval Research Laboratory, Washington, DC 2 Georgetown University, Washington, DC
MPI-SWS July 29, 2013

1
Summary: What is Tor?
Tor is a system for anonymous communication.

3
Tor is a system for anonymous communication. ^ popular

Over 500000 daily users and 2.4GiB/s aggregate 4
Summary: Who uses Tor?
Summary: Who uses Tor?

Individuals avoiding censorship Individuals avoiding surveillance Journalists protecting themselves or sources Law enforcement during investigations Intelligence analysts for gathering data
Summary: Tors Big Problem
10
Traffic Correlation Attack
11
Traffic Correlation Attack

Congestion attacks Throughput attacks Latency leaks Website fingerprinting Application-layer leaks Denial-of-Service attacks
12
Summary: Our Contributions
13
Summary: Our Contributions
1. Empirical analysis of traffic correlation threat 2. Develop adversary framework and security metrics 3. Develop analysis methodology and tools
14
Overview
Summary Tor Background Tor Security Analysis
o Adversary Framework o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
15
Overview
Future Work
16
Background: Onion Routing
Users
Onion Routers
Destinations
17
Users
Onion Routers
Destinations
18
Users
Onion Routers
Destinations
19
Users
Onion Routers
Destinations
20
Users
Onion Routers
Destinations
21
Background: Using Circuits
22
1. Clients begin all circuits with a selected guard.
23
1. Clients begin all circuits with a selected guard. 2. Relays define individual exit policies.
24
1. Clients begin all circuits with a selected guard. 2. Relays define individual exit policies. 3. Clients multiplex streams over a circuit.
25
1. 2. 3. 4.
Clients begin all circuits with a selected guard. Relays define individual exit policies. Clients multiplex streams over a circuit. New circuits replace existing ones periodically.
26
Overview
Future Work
27
Adversary Framework
28
Adversary Framework
29
Adversary Framework
30
Adversary Framework
31
Adversary Framework
Resource Types Relays Bandwidth Autonomous Systems (ASes) Internet Exchange Points (IXPs) Money
32
Adversary Framework
Resource Endowment Destination host 5% Tor bandwidth Source AS Equinix IXPs
33
Adversary Framework
Resource Endowment Destination host 5% Tor bandwidth Source AS Equinix IXPs Goal Target a given users communication Compromise as much traffic as possible Learn who uses Tor Learn what Tor is used for
34
Overview
Future Work
35
Security Metrics
Prior metrics
Security Metrics
Prior metrics 1. Probability of choosing bad guard and exit

a. c2 / n2 : Adversary controls c of n relays b. ge : g guard and e exit BW fractions are bad
Security Metrics

2. Probability some AS/IXP exists on both entry and exit paths (i.e. path independence)
Security Metrics

2. Probability some AS/IXP exists on both entry and exit paths (i.e. path independence) 3. gt : Probability of choosing malicious guard within time t
Security Metrics
Principles 1. Probability distribution 2. Measure on human timescales 3. Based on adversaries
40
Security Metrics
Principles 1. Probability distribution 2. Measure on human timescales 3. Based on adversaries
Metrics 1. Probability distribution of time until first path compromise 2. Probability distribution of number of path compromises for a given user over given time period
41
Overview
Background Onion Routing Security Analysis
o Problem: Traffic correlation o Adversary Model o Security Metrics o Evaluation Methodology o Node Adversary Analysis o Link Adversary Analysis
Future Work
42
TorPS: The Tor Path Simulator

Network Model
Relay statuses Streams StreamCircuit Client Software mappings Model

43
User Model

Network Model

44
User Model
TorPS: User Model

Gmail/GChat Gcal/GDocs Facebook Web search IRC BitTorrent
20-minute traces
45
TorPS: User Model

Gmail/GChat Gcal/GDocs
Typical
Facebook Web search IRC BitTorrent
20-minute traces
46
TorPS: User Model

Gmail/GChat Gcal/GDocs
Session schedule One session at 9:00, 12:00, 15:00, and 18:00 Su-Sa
Typical
Facebook Web search IRC BitTorrent
Repeated sessions 8:00-17:00, M-F Repeated sessions 0:00-6:00, Sa-Su

47
20-minute traces
TorPS: User Model

Gmail/GChat Gcal/GDocs Facebook Web search IRC BitTorrent
Session schedule One session at 9:00, 12:00, 15:00, and 18:00 Su-Sa
Typical Worst Port (6523) Best Port Repeated sessions (443)

8:00-17:00, M-F Repeated sessions 0:00-6:00, Sa-Su
48
20-minute traces
TorPS: User Model

Rank 1 2 3 65312 65313 65314 Port # 8300 6523 26 993 80 443 Exit BW % 19.8 20.1 25.3 89.8 90.1 93.0 LongLived Yes Yes No No No No Application iTunes? Gobby (SMTP+1) IMAP SSL HTTP HTTPS
Default-accept ports by exit capacity.

49
TorPS: User Model

Model Typical IRC BitTorrent WorstPort BestPorst Streams/wee k 2632 135 6768 2632 2632 IPs 205 1 171 205 205 Ports (#s) 2 (80, 443) 1 (6697) 118 1 (6523) 1 (443)
User model stream activity
50

Network Model

51
User Model

Network Model
metrics.torproject.org
Hourly consensuses Monthly server descriptors archive
52

Network Model

53
User Model

Client Software Model
Reimplemented path selection in Python Based on current Tor stable version (0.2.3.25) Major path selection features include
Bandwidth weighting Exit policies Guards and guard rotation Hibernation /16 and family conflicts
54
Omits effects of network performance
Overview
Future Work
55
Node Adversary
100 MiB/s total bandwidth

Relay Type Any Guard only Exit only Guard & Exit Number 2646 670 403 272 Bandwidth (GiB/s) 3.10 1.25 0.30 0.98
Rank 1 2 3 4 5
Bandwidth Family (MiB/s) 260.5 115.7 107.8 95.3 80.5 torservers.net Chaos Computer Club DFRI Team Cymru Paint
56
Tor relay capacity, 3/31/13
Top Tor families, 3/31/13
Node Adversary
100 MiB/s total bandwidth
Probability to compromise at least one stream and rate of compromise, 10/12 3/13.
57
Node Adversary
100 MiB/s total bandwidth 83.3 MiB/s guard,16.7 MiB/s exit
58
Node Adversary Results

Time to first compromised stream, 10/12 3/13
Fraction compromised streams, 10/12 3/13
59

Time to first compromised guard, 10/12 3/13
Fraction streams with compromised guard, 10/12 3/13

60

Time to first compromised exit, 10/12 3/13
Fraction compromised exits, 10/12 3/13
61
Time to first compromised circuit, 10/12-3/13

62
Overview
Future Work
63
Link Adversary
64
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. Autonomous Systems (ASes)
65
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. Autonomous Systems (ASes) 2. Internet Exchange Points (IXPs)
66
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. Autonomous Systems (ASes) 2. Internet Exchange Points (IXPs) 3. Adversary has fixed location
67
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. Autonomous Systems (ASes) 2. Internet Exchange Points (IXPs) 3. Adversary has fixed location
68
Link Adversary
AS 6
AS1 AS2
AS8
AS 6
AS3 AS4
AS 7
AS5
1. 2. 3. 4.
Autonomous Systems (ASes) Internet Exchange Points (IXPs) Adversary has fixed location Adversary may control multiple entities
a. Top ASes b. IXP organizations
69
Link Adversary
Client locations Top 5 non-Chinese source ASes in Tor (Edman&Syverson 09)
AS# 3320 3209 3269 Description Deutsche Telekom AG Arcor Telecom Italia Country Germany Germany Italy Germany
13184 HanseNet Telekommunikation 6805
Telefonica Deutschland Germany ID 3356 1299 6939 286 DE-CIX Description Level 3 Communications TeliaNet Global Hurricane Electric DE-CIX Frankfurt DE-CIX
AS/IXP Locations Ranked for client location by frequency on entry or exit paths Exclude src/dst ASes Top k ASes /top IXP organization
Type AS AS AS IXP IXP Org.
Example: Adversary locations for BitTorrent client in AS 3320
70
Link Adversary
IXP organizations obtained by manual clustering based on PeerDB and PCH.
# 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
IXP Organization Equinix PTTMetro PIPE NIXI XChangePoint MAE/VERIZON Netnod Any2 PIX JPNAP DE-CIX AEPROVI Vietnam NorthWestIX Terremark Telx NorrNod ECIX JPIX
Size Country 26 8 6 6 5 5 5 4 4 3 2 2 2 2 2 2 2 2 2 global Brazil Australia India global global Sweden US Canada Japan Germany Equador Vietnam Montana, US global US Sweden Germany Japan
71
IXP organizations ranked by size
Link Adversary
Adversary controls one AS, Time to first compromised stream, 1/13 3/13 Best: most secure client AS Worst: least secure client AS
Adversary controls one AS, Fraction compromised streams, 1/13 3/13 Best: most secure client AS Worst: least secure client AS
72
Link Adversary
Adversary controls IXP organization, Time to first compromised stream, 1/13 3/13, Best: most secure client AS Worst: least secure client AS
Adversary controls top ASes, Time to first compromised stream, 1/13 3/13, Only best client AS
73
Overview
Future Work
74
Future Work
1. Extending analysis 2. Improving guard selection 3. Using trust-based path selection to protect against traffic correlation 4. Dealing with incomplete and inaccurate AS and IXP maps 5. Include Tors performance-based pathselection features in TorPS
75

Tor Users Routed Slides

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tor Users Routed Slides

Uploaded by

Copyright:

Available Formats

Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries

Naval Research Laboratory, Washington, DC 2 Georgetown University, Washington, DC

MPI-SWS July 29, 2013

Summary: What is Tor?

Summary: What is Tor?

Tor is a system for anonymous communication.

Summary: What is Tor?

Tor is a system for anonymous communication. ^ popular

Summary: Who uses Tor?

Summary: Who uses Tor?

Summary: Tors Big Problem

Summary: Tors Big Problem

Summary: Tors Big Problem

Summary: Tors Big Problem

Summary: Tors Big Problem

Traffic Correlation Attack

Summary: Tors Big Problem

Traffic Correlation Attack

Summary: Our Contributions

Summary: Our Contributions

Background: Onion Routing

Background: Onion Routing

Background: Onion Routing

Background: Onion Routing

Background: Onion Routing

Background: Using Circuits

Background: Using Circuits

1. Clients begin all circuits with a selected guard.

Background: Using Circuits

Background: Using Circuits

Background: Using Circuits

Prior metrics 1. Probability of choosing bad guard and exit

Prior metrics 1. Probability of choosing bad guard and exit

Prior metrics 1. Probability of choosing bad guard and exit

TorPS: The Tor Path Simulator

Relay statuses Streams StreamCircuit Client Software mappings Model

TorPS: The Tor Path Simulator

Relay statuses Streams StreamCircuit Client Software mappings Model

TorPS: User Model

TorPS: User Model

TorPS: User Model

Repeated sessions 8:00-17:00, M-F Repeated sessions 0:00-6:00, Sa-Su

TorPS: User Model

Typical Worst Port (6523) Best Port Repeated sessions (443)

TorPS: User Model

Default-accept ports by exit capacity.

TorPS: User Model

User model stream activity

TorPS: The Tor Path Simulator

Relay statuses Streams StreamCircuit Client Software mappings Model

TorPS: The Tor Path Simulator

TorPS: The Tor Path Simulator

Relay statuses Streams StreamCircuit Client Software mappings Model

TorPS: The Tor Path Simulator

Omits effects of network performance

100 MiB/s total bandwidth

Tor relay capacity, 3/31/13

Top Tor families, 3/31/13

100 MiB/s total bandwidth

100 MiB/s total bandwidth 83.3 MiB/s guard,16.7 MiB/s exit

Node Adversary Results

Fraction compromised streams, 10/12 3/13

Node Adversary Results