Transcript exit router

Predicting Tor Path Compromise by Exit Port
Tor Network
Client
Entry Guard
Exit Router
Destination
Host
Middle
Router
Circuit
Directory Server
Kevin Bauer, Dirk Grunwald, and Douglas Sicker
University of Colorado
IEEE WIDA 2009
December 16, 2009
Tor: Anonymity for TCP Applications
Last hop knows
the destination
Colluding entry and exit routers can use simple timing
analysis to de-anonymize the client and destination
[Serjantov et al., 2003; Levine et al., 2004]
First hop knows
the client
Client
Tor Network
Entry Guard
Exit Router
Destination
Host
Middle
Router
Circuit
Directory Server
Router List
Tor provides anonymity for TCP by tunneling traffic through a
virtual circuit of three Tor routers using layered encryption
1
Prior Attacks Against Tor
Last hop knows
the destination
Prior work showed that the likelihood of
circuit compromise in Tor is relatively high
[Bauer et al., 2007]
First hop knows
the client
Client
Exit Router
Tor Network
Entry Guard
Destination
Host
Middle
Router
Circuit
Directory Server
High BW routers
chosen most often
Router List
1. Clients choose Tor routers in proportion to their bandwidths
2. Tor routers self-advertise their bandwidth capacities
Routers
can lie!
2
Our Contribution
We observe that the bandwidth available for different
applications is not uniformly distributed among exit Tor routers
We extend prior work by investigating whether certain applications
are more vulnerable to attack than others
We hypothesize that traffic destined for ports with little bandwidth is
3
more vulnerable to circuit compromise
Talk Outline
• Background on path selection in Tor
• Experimental setup
• Experimental results
– Exit bandwidth is not uniformly distributed
– Long-lived traffic requires “stable” routers
• Toward solutions
• Future work
• Summary and conclusions
4
Path Selection in Tor
• Clients choose Tor routers in proportion to their
bandwidth capacities
• To reduce the risk of path compromise, Tor clients
choose their circuits very carefully
• Circuit construction rules
Mitigates risk
of choosing
adversary
controlled
routers
• A router may only be used once per circuit
• Only one router per /16 network and two routers per IP
address
Mitigates the
• First router must be an entry guard
“predecessor
attack”
Ensures traffic • The exit router must allow connections to the traffic’s
can be delivered destination host and port
5
Path Selection: Exit Policies
• Tor allows exit routers to specify their own exit policies
• Can be used to help router operators manage risk of abuse
[Bauer et al., 2008]
• Possible Tor router configurations
– Non-exit: Router is not allowed to connect to any (non-Tor) Internet host
– Exit: May connect to designated port numbers (and hosts) on the Internet
Middle Router
Client
Exit
Router
Destination
Host
Entry Guard
6
Path Selection: Stable Paths
• Applications with persistent sessions (SSH,
FTP) require special routers that have been
alive for a long time
• Marked as Stable by the directory servers
– Stable router is in the top half of all routers in
terms of mean time between failures
– Or alive for at least 30 days
7
Experimental Evaluation: Setup
• We simulate Tor’s router selection algorithm to study how
certain applications may be more vulnerable to circuit
compromise
• Fuel simulations with real Tor router data from the
directory servers (May 31, 2009 snapshot)
– 1,444 total routers with 403.3 MB total bandwidth
– 770 “stable” routers with 326.9 MB total bandwidth
• Simulation details
– Generate 10,000 circuits for applications (default port):
• FTP (21), SSH (22), Telnet (23), SMTP (25), HTTP (80), POP3 (110),
HTTPS (443), Kazaa P2P (1214), BitTorrent tracker (6969), Gnutella P2P
(6346), and eDonkey P2P (4661)
– Add 6 - 106 malicious routers (10 MB/s BW) and count
compromised circuits
8
Experimental Evaluation: Results
Fraction of circuits that are compromised for each application’s default exit port
6 routers (with 60 MB) make up 12% of the total bandwidth
SMTP (outgoing E-mail) and peer-to-peer file sharing
applications are more vulnerable to circuit compromise
The number of circuits compromised increases as more
malicious routers are injected into the network
9
Exit Bandwidth Distribution is Skewed
Distribution of exit bandwidth by default exit port number
SMTP and peer-to-peer applications have fewest
routers and least amount of exit bandwidth
Fraction of circuits that are compromised for each application’s default exit port
10
Long-Lived Traffic Needs “Stable” Routers
• Applications with persistent sessions require
“stable” routers
• Only 770/1,444 routers are Stable
Distribution of exit bandwidth by default exit port number
Fraction of circuits that are compromised for each application’s default exit port
• Slightly higher compromise rate than
HTTP/HTTPS/Telnet/POP3
11
Only the Exit Router is Malicious
• If only the exit router is malicious, an attacker could still
learn significant identifying information
– i.e., Login credentials
• HTTP
– 6 malicious routers: Controls exit router 33.6% of the time
– 16 malicious routers: Controls exit router 56.5% of the time
• FTP
– 6 malicious routers: Controls exit router 46.7% of the time
– 16 malicious routers: Controls exit router 70.7% of the time
• This is a very real threat, since many popular websites
still do not provide TLS-protected logins
12
Toward Solutions
• One solution is to give users the ability to manage their
risk of attack
• Prior work proposed that users tune the router
selection between bandwidth-weighted and uniform
router selection [Snader and Borisov, 2008]
– Allows users to trade-off between strong anonymity and
strong performance
Only 0.09% of
BitTorrent tracker
Uniform router selection:
circuits compromised
c > 1 malicious routers
E > 0 is number exit routers
N > 1 number total routers Compare to 18.5%
• However, it remains necessary to balance the traffic
load over the available bandwidth
• General solutions to this attack is an open problem
13
Future Work: Selective DoS Attacks
• Extend this work to consider selective denial-of-service attacks
– Attack strategy: If an adversary does not control the endpoints of a
given circuit, they disrupt the circuit, causing it to be rebuilt
Fraction of circuits that are compromised for each application’s default exit port
Initial results with selective denial-of-service
Effects of bandwidth disparities are magnified
SMTP and peer-to-peer applications show extremely high
compromise rate (68-93%) with only 6 malicious routers
14
Summary and Conclusions
Tor Network
Client
Entry Guard
Exit Router
Destination
Host
Middle
Router
Circuit
Directory Server
• We demonstrated our hypothesis that certain applications are
more vulnerable than others to circuit compromise in Tor
• Through a simulation study driven by data obtained from the
real Tor network, we found that SMTP and peer-to-peer file
sharing applications are most vulnerable
• We suggest that concerned users tune the router selection
bias to control the risk of path compromise
15