esorics 2012 presentation 2

8/10/2019 ESORICS 2012 Presentation 2

1/23

TorScan: Tracing Long-lived Connections andDifferential Scanning Attacks

A. Biryukov, I. Pustogarov, R.P. Weinmann

University of Luxembourg

[email protected]

September 5, 2012

A. Biryukov, I. Pustogarov, R.P. Weinmann (UNI LU)

Torscan September 5, 2012 1 / 23


2/23

Overview

What is Tor and How it worksA classication of published attacks on TorRevealing Tor topology informationTopology-based attacksEvaluation of the attacks




3/23

Tor anonymity network

Tor relays Internet servers running Tor softwareBoth relays and clients run the same softwareAuthorities 9 most trusted relays which maintain and distribute the

list of Tor relays (the Consensus)Clients route their traffic through a chain of Tor relaysTor relays do not delay traffic nor use paddingIs the most popular anonymity network (> 3000 Tor relays; 400,000

users/day).It is fast.




4/23


5/23

Classication of published attacks

Passive traffic analysis attacks.Cell counting, time correlation,Website ngerprinting

Active traffic analysis attacksWatermarking, node clogging,etc.

Attacks based on informationleakage from specic applications.

Bittorrent leaking IP addresses,etc.

A. Biryukov, I. Pustogarov, R.P. Weinmann (UNI LU) Torscan September 5, 2012 5 / 23


6/23

Intersection attack and Guard nodes

Controlling the entry node andsniffing the server locating theclientIf the entry node is chosenrandomly, as the client makesmany different circuits over time,then the probability that theattacker will see a sample of thetraffic goes to 1

It does not happen if the entrynodes are xed. Each client hasa pool of three guard nodeswhich are actual for 1 month



7/23

The attack goal

We do not reveal the actual IP address of a clientWe do reveal the guard nodes of a clientGuard nodes are the next point to attack.Guard nodes are specic to the user and can be considered as hissignature



8/23

The key to our attack

Before the Tor network was considered as a fully connected graph

We have found ways to probe the connectivity of a Tor relay.We found how topology leakage can be used to trace back a userfrom an exit relay to a small set of potential entry nodes.



9/23

Revealing Tor connectivity (1/5)

Each node is uniquely identied by its RSA public key (ngerprint)Use CREATE/CREATED cells to exchange a Diffie-Hellman key.Use EXTEND cell to relay a CREATE cellEXTEND cell contains the ngerprint and IP address of the next relay

EXTENDED cell indicates the success; DESTROY cell indicates afailure



10/23

Revealing Tor connectivity (2/5)

Each node is uniquely identied by its RSA public key (ngerprint)Use CREATE/CREATED cells to exchange keys.Use EXTEND cell to relay a CREATE cellEXTEND cell contains the ngerprint and IP address of the next relay

EXTENDED cell indicates the success; DESTROY cell indicates afailure



11/23

Reavealing Tor connectivity (4/5)

Each pair of Tor relays tries to keep just one TLS connectionA connections to Relay A is Canonical if IP A and ngerprint A of relayA are from the Consensus documentThe canonical connection will be used for all subsequent circuitextension requests to the relay with ngerprint A . IP address isignored

What happens if I indicate a ngerprint from the consensus and127.0.0.1 as IP



12/23


Each pair of Tor relays tries to keep just one TLS connectionA connections to Relay A is Canonical if IP A and ngerprint A of relayA are from the Consensus documentThe canonical connection will be used for all subsequent circuitextension requests to the relay with ngerprint A . IP address isignored

What happens if I indicate a ngerprint from the consensus and127.0.0.1 as IP



13/23


It takes less time to extend a circuit over already existing connection18 additional steps at least 18 RTT time slower



14/23

Show me!

One scan takes 30 seconds. Can be easily parallelized.

89 USD for scanning the whole network for a day (4 minutes betweenscans).



15/23

The attack scenarios

1 We will trace Long-lived connections: long-lived SSH sessions, verylarge les downloads, le-sharing applications and communications

over instant messaging networks.2 We will trace recurrent connections: Gmail establishes new

connections every 2 minutes; web sites with auto-refresh contents.Pseudonymous user is identied by a cookie or a login credential.



16/23

Tracing Long-lived connections.



17/23

Tracing Long-lived connections. Evaluation

How long should we wait for other connections to disappear?What is the asymptotic behaviour of the decay curve?



18/23

Tracing Long-lived connections. Evaluation

How long should we wait for other connections to disappear?What is connections duration distribution?Are there immortal connections? Incoming circuit rate for thisconnections is very high

What is the asymptotic behaviour of the decay curve?


ff l


19/23

Differential scanning

1 Tor Specication: a circuit (route) lives 10 minutes2 Assume the client establishes recurrent connection to the server3 The client is identied by his cookie or pseudonym4 If we kill connection A, there is a probability that connection B will

drop as well


Diff i l i E l i


20/23

Differential scanning. Evaluation

1 What is the probability that connections B drops (Signal)?

2 What is the probability that other connections drops (Noise)?3 How many tries should we make?

C37B234FAD013453B90375EB55864FEBC876104A : 58 (PPrivCom052) bw=36500 CA1CF70F4E6AF9172E6E743AC5F1E918FFE2B476 : 35 (spfTOR3) bw=29800



21/23

C l i


22/23

Conclusion

All prior research on Tor assumed opacity of the Tor network topologymeaning that the attacker had to assume a fully connected graph.In practice, the real degree of a node in this graph is substantiallysmaller than its maximum at any given point in time.For the rst time, we have shown methods to determine the realconnectivity of relays in the Tor network and the dynamics of thetopology of the whole Tor network.Based on this, we described several novel attacks that use this

information to deanonymize the entry points of the users into the Tornetwork.



23/23

Thank you.


esorics 2012 presentation 2

Documents