Low-latency Anonymous Communication Systems Research Articles

Comparative Analysis of Low Latency Anonymous Communication Systems

Comparative Analysis of Low Latency Anonymous Communication Systems

TorWard: Discovery, Blocking, and Traceback of Malicious Traffic Over Tor

Tor is a popular low-latency anonymous communication system. It is, however, currently abused in various ways. Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we designed and implemented a novel system, TorWard, for the discovery and the systematic study of malicious traffic over Tor. The system can avoid legal and administrative complaints, and allows the investigation to be performed in a sensitive environment such as a university campus. An intrusion detection system (IDS) is used to discover and classify malicious traffic. We performed comprehensive analysis and extensive real-world experiments to validate the feasibility and the effectiveness of TorWard. Our results show that around 10% Tor traffic can trigger IDS alerts. Malicious traffic includes P2P traffic, malware traffic (e.g., botnet traffic), denial-of-service attack traffic, spam, and others. Around 200 known malwares have been identified. To mitigate the abuse of Tor, we implemented a defense system, which processes IDS alerts, tears down, and blocks suspect connections. To facilitate forensic traceback of malicious traffic, we implemented a dual-tone multi-frequency signaling-based approach to correlate botnet traffic at Tor entry routers and that at exit routers. We carried out theoretical analysis and extensive real-world experiments to validate the feasibility and the effectiveness of TorWard for discovery, blocking, and traceback of malicious traffic.

A Stealthy Attack Against Tor Guard Selection

Tor is a popular low-latency anonymous communication system which could provide anonymity and anti-censorship. Based on previous researches on de-anonymization of Tor, this paper proposes a novel approach to attack users’ guard selection which can pose great threat against Tor users' anonymity. Under the current design of Tor, once entry guards are compromised, the probability that an attacker observes both ends of a Tor circuit will be highly improved. Actual and simulated experiments both show that an attacker (e.g., a local or national government which have the power to monitor a Tor user’s internet connection) can successfully compromise a specific Tor user’s entry guard in about 30 minutes, and this can further help de-anonymize the user’s anonymous communication.

Tor Bridge Discovery: Extensive Analysis and Large-scale Empirical Evaluation

Tor is a well-known low-latency anonymous communication system that is able to bypass the Internet censorship. However, publicly announced Tor routers are being blocked by various parties. To counter the censorship blocking, Tor introduced non-public bridges as the first-hop relay into its core network. In this paper, we investigated the effectiveness of two categories of bridge-discovery approaches: 1) enumerating bridges from bridge HTTPS and email servers, and 2) inferring bridges by malicious Tor middle routers. Large-scale real-world experiments were conducted and validated our theoretic findings. We discovered 2365 Tor bridges through the two enumeration approaches and 2369 bridges by only one Tor middle router in 14 days. Our study shows that the bridge discovery based on malicious middle routers is simple, efficient, and effective to discover bridges with little overhead. We also discussed issues related to bridge discovery and mechanisms to counter the malicious bridge discovery.

ATTACK AGAINST ANONYMITY USING CELL COUNTING

Various low-latency anonymous communication systems such as Tor and Anonymizer have been designed to provide anonymity service for users. In order to hide the communication of users, most of the anonymity systems pack the application data into equal-sized cells. Via extensive experiments on Tor, we found that the size of IP packets in the Tor network can be very dynamic because a cell is an application concept and the IP layer may repack cells. Based on this finding, we investigate a new cell-counting-based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the number of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then, an accomplice of the attacker at themalicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor, and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective, and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect.

A New Cell-Counting-Based Attack Against Tor

Various low-latency anonymous communication systems such as Tor and Anonymizer have been designed to provide anonymity service for users. In order to hide the communication of users, most of the anonymity systems pack the application data into equal-sized cells (e.g., 512 B for Tor, a known real-world, circuit-based, low-latency anonymous communication network). Via extensive experiments on Tor, we found that the size of IP packets in the Tor network can be very dynamic because a cell is an application concept and the IP layer may repack cells. Based on this finding, we investigate a new cell-counting-based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the number of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then, an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor, and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective, and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect (e.g., using our hopping-based signal embedding).

Ferris wheel: A ring based onion circuit for hidden services

The capability that a server can hide its location while offering various kinds of services to its clients is called hidden services or location-hiding. Almost previous low-latency anonymous communication systems such as Tor, MorphMix, etc., that can be used to implement hidden services are vulnerable against end-to-end traffic analysis attack. This paper introduces Ferris wheel, a novel architecture for implementing hidden services which is robust against end-to-end traffic analysis attack. Moreover, our scheme is more robust against various traffic analysis attacks than previous low-latency anonymous communication architectures.

A potential HTTP-based application-level attack against Tor

Tor has become one of the most popular overlay networks for anonymizing TCP traffic, however, the anonymity of Tor clients is threatened by various attacks exploiting traffic analysis or Tor’s design features. Although considerable effort has been made to secure and improve Tor networks, little attention has been paid to various application-level attacks against Tor. In this paper, we present a potential HTTP-based application-level attack against Tor, which exploits both Tor’s design features and HTTP’s vulnerability to man-in-the-middle attacks. Such an application-level attack can efficiently and effectively compromise the anonymity of clients without using invasive plugins like Java or any other active content systems in a web browser, posing a serious threat to Tor. Our analytical and empirical results validate the feasibility and effectiveness of the attack. Based on our analysis of the potential attack mechanism, we propose corresponding countermeasures to thwart such potential application-level attacks against Tor, thereby effectively securing and improving Tor networks. Since the fundamental vulnerability exposed by this paper is not specific to web browsing via Tor but rather to the problem of other low-latency applications based on TCP streams, our study is critical for securing and improving low-latency anonymous communication systems.