Guard Placement Attacks on Path Selection Algorithms for Tor

Open access

Abstract

The popularity of Tor has made it an attractive target for a variety of deanonymization and fingerprinting attacks. Location-based path selection algorithms have been proposed as a countermeasure to defend against such attacks. However, adversaries can exploit the location-awareness of these algorithms by strategically placing relays in locations that increase their chances of being selected as a client’s guard. Being chosen as a guard facilitates website fingerprinting and traffic correlation attacks over extended time periods. In this work, we rigorously define and analyze the guard placement attack. We present novel guard placement attacks and show that three state-of-the-art path selection algorithms—Counter-RAPTOR, DeNASA, and LASTor—are vulnerable to these attacks, overcoming defenses considered by all three systems. For instance, in one attack, we show that an adversary contributing only 0.216% of Tor’s total bandwidth can attain an average selection probability of 18.22%, 84× higher than what it would be under Tor currently. Our findings indicate that existing location-based path selection algorithms allow guards to achieve disproportionately high selection probabilities relative to the cost required to run the guard. Finally, we propose and evaluate a generic defense mechanism that provably defends any path selection algorithm against guard placement attacks. We run our defense mechanism on each of the three path selection algorithms, and find that our mechanism significantly enhances the security of these algorithms against guard placement attacks with only minimal impact to the goals or performance of the original algorithms.

[1] Masoud Akhoondi, Curtis Yu, and Harsha V. Madhyastha. LASTor: A Low-latency AS-aware Tor Client. IEEE/ACM Transactions on Networking, 22(6), 2014.

[2] Mashael AlSabah, Kevin Bauer, Tariq Elahi, and Ian Goldberg. The Path Less Travelled: Overcoming Tor’s Bottlenecks with Traffic Splitting. In Privacy Enhancing Technologies, 2013.

[3] Michael Backes, Sebastian Meiser, and Marcin Slowik. Your choice mator (s). Proceedings on Privacy Enhancing Technologies, 2016(2), 2016.

[4] Armon Barton, Mohsen Imani, Jiang Ming, and Matthew Wright. Towards Predicting Efficient and Anonymous Tor Circuits. In Proceedings of the 27th USENIX Conference on Security Symposium, 2018.

[5] Armon Barton and Matthew Wright. DeNASA: Destination-Naive AS-Awareness in Anonymous Communications. In Proceedings on Privacy Enhancing Technologies, 2016.

[6] Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno, and Douglas Sicker. Low-resource Routing Attacks Against Tor. In Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society, WPES ’07, 2007.

[7] Xiang Cai, Rishab Nithyanand, Tao Wang, Rob Johnson, and Ian Goldberg. A Systematic Approach to Developing and Evaluating Website Fingerprinting Defenses. In ACM Conference on Computer and Communications Security (CCS), 2014.

[8] CAIDA Data. http://www.caida.org/data.

[9] Roger Dingledine and George Kadianakis. One fast guard for life (or 9 months). In HotPETs, 2014.

[10] Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The Second-generation Onion Router. In Proceedings of the 13th Conference on USENIX Security Symposium, 2004.

[11] John R. Douceur. The Sybil Attack. In Revised Papers from the First International Workshop on Peer-to-Peer Systems, 2002.

[12] Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP ’12, 2012.

[13] Matthew Edman and Paul Syverson. AS-awareness in Tor Path Selection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS ’09, 2009.

[14] Tariq Elahi, Kevin Bauer, Mashael AlSabah, Roger Dingledine, and Ian Goldberg. Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor. In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society, WPES ’12, 2012.

[15] Nick Feamster and Roger Dingledine. Location Diversity in Anonymity Networks. In Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, WPES ’04, 2004.

[16] Lixin Gao and Jennifer Rexford. Stable Internet Routing Without Global Coordination. IEEE/AM Transactions on Networking, 9(6), 2001.

[17] David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Hiding Routing Information. In Proceedings of the First International Workshop on Information Hiding, 1996.

[18] Jamie Hayes and George Danezis. k-fingerprinting: A Robust Scalable Website Fingerprinting Technique. In 25th USENIX Security Symposium (USENIX Security 16), 2016.

[19] Andrew Hintz. Fingerprinting Websites Using Traffic Analysis. In Proceedings of the 2nd International Conference on Privacy Enhancing Technologies, 2003.

[20] Rob Jansen, Tavish Vaidya, and Micah Sherr. Point Break: A Study of Bandwidth Denial-of-Service Attacks against Tor. In 28th USENIX Security Symposium, 2019.

[21] Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson. Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries. In ACM Conference on Computer and Communications Security (CCS), CCS ’13, 2013.

[22] Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. A Critical Evaluation of Website Fingerprinting Attacks. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS ’14, 2014.

[23] Joshua Juen. Protecting anonymity in the presence of Autonomous System and Internet exchange level adversaries. Master’s thesis, University of Illinois at Urbana-Champaign, 2012.

[24] Shuai Li, Huajun Guo, and Nicholas Hopper. Measuring Information Leakage in Website Fingerprinting Attacks and Defenses. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018.

[25] Maxmind GeoLite2 Database. https://dev.maxmind.com/geoip/geoip2/geolite2/.

[26] Steven J. Murdoch and George Danezis. Low-Cost Traffic Analysis of Tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, SP ’05, 2005.

[27] Steven J. Murdoch and Piotr Zieliński. Sampled Traffic Analysis by Internet-Exchange-Level Adversaries. In Privacy Enhancing Technologies Symposium (PETS), 2007.

[28] Milad Nasr, Alireza Bahramali, and Amir Houmansadr. DeepCorr: Strong Flow Correlation Attacks on Tor Using Deep Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018.

[29] Milad Nasr, Amir Houmansadr, and Arya Mazumdar. Compressive Traffic Analysis: A New Paradigm for Scalable Traffic Analysis. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, 2017.

[30] Rishab Nithyanand, Oleksii Starov, Adva Zair, Phillipa Gill, and Michael Schapira. Measuring and mitigating AS-level adversaries against Tor. In Symposium on Network and Distributed System Security (NDSS), 2016.

[31] Lasse Overlier and Paul Syverson. Locating Hidden Servers. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, 2006.

[32] Andriy Panchenko, Fabian Lanze, Jan Pennekamp, Thomas Engel, Andreas Zinnen, Martin Henze, and Klaus Wehrle. Website Fingerprinting at Internet Scale. In Symposium on Network and Distributed System Security (NDSS), 2016.

[33] Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. Website Fingerprinting in Onion Routing Based Anonymization Networks. In Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES ’11, 2011.

[34] Mike Perry. TorFlow: Tor Network Analysis. In HotPETs, 2009.

[35] Vera Rimmer, Davy Preuveneers, Marc Juárez, Tom van Goethem, and Wouter Joosen. Automated Website Fingerprinting through Deep Learning. In Symposium on Network and Distributed System Security (NDSS), 2018.

[36] Florentin Rochet and Olivier Pereira. Waterfilling: Balancing the Tor network with maximum diversity. Proceedings on Privacy Enhancing Technologies, 2017(2), 2017.

[37] Micah Sherr, Matt Blaze, and Boon Thau Loo. Scalable Link-Based Relay Selection for Anonymous Routing. In Proceedings of the 9th International Symposium on Privacy Enhancing Technologies, 2009.

[38] Payap Sirinam, Mohsen Imani, Marc Juarez, and Matthew Wright. Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018.

[39] Robin Snader and Nikita Borisov. A Tune-up for Tor: Improving Security and Performance in the Tor Network. In Proceedings of 16th Annual Network and Distributed System Security Symposium, 2008.

[40] Yixin Sun, Anne Edmundson, Nick Feamster, Mung Chiang, and Prateek Mittal. Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks. In IEEE Symposium on Security and Privacy, 2017.

[41] Yixin Sun, Anne Edmundson, Laurent Vanbever, Oscar Li, Jennifer Rexford, Mung Chiang, and Prateek Mittal. RAPTOR: Routing Attacks on Privacy in Tor. In Proceedings of the 24th USENIX Conference on Security Symposium, SEC’15, 2015.

[42] Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr. Towards an Analysis of Onion Routing Security. In International Workshop on Designing Privacy Enhancing Technologies: Design Issues in Anonymity and Unobservability, 2001.

[43] Team-Cymru. http://www.team-cymru.com.

[44] CollecTor - Tor Project. https://metrics.torproject.org/collector.html.

[47] Tor Metrics Portal. https://metrics.torproject.org/.

[49] Yves Tillé. An elimination procedure of unequal probability sampling without replacement. Biometrika, 83, 1996.

[50] Thaddeus Vincenty. Direct and Inverse Solutions of Geodesics on the Ellipsoid with Application of Nested Equations. In Survey Review, 1975.

[51] Ryan Wails, Yixin Sun, Aaron Johnson, Mung Chiang, and Prateek Mittal. Tempest: Temporal Dynamics in Anonymity Systems. In Privacy Enhancing Technologies Symposium (PETS), 2018.

[52] Tao Wang, Kevin Bauer, Clara Forero, and Ian Goldberg. Congestion-Aware Path Selection for Tor. In International Conference on Financial Cryptography and Data Security, 2012.

[53] Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. Effective Attacks and Provable Defenses for Website Fingerprinting. In USENIX Security Symposium, 2014.

[54] Tao Wang and Ian Goldberg. Improved Website Fingerprinting on Tor. In Proceedings of the 12th ACM Workshop on Workshop on Privacy in the Electronic Society, WPES ’13, 2013.

[55] Tao Wang and Ian Goldberg. On realistically attacking Tor with website fingerprinting. In Privacy Enhancing Technologies Symposium (PETS), 2016.

[56] Tao Wang and Ian Goldberg. Walkie-Talkie: An Efficient Defense Against Passive Website Fingerprinting Attacks. In 26th USENIX Security Symposium (USENIX Security 17), 2017.

[57] Philipp Winter, Roya Ensafi, Karsten Loesing, and Nick Feamster. Identifying and Characterizing Sybils in the Tor Network. In 25th USENIX Security Symposium (USENIX Security 16), 2016.

[58] Philipp Winter and Stefan Lindskog. Spoiled Onions: Exposing Malicious Tor Exit Relays. In Privacy Enhancing Technologies Symposium (PETS), 2014.

[59] Matthew Wright, Micah Adler, Brian N. Levine, and Clay Shields. Defending Anonymous Communications Against Passive Logging Attacks. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, SP ’03, 2003.

Journal Information

Metrics

All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 32 32 32
PDF Downloads 20 20 20