Hashing it out in public: common failure modes of DHT-based anonymity schemes

We examine peer-to-peer anonymous communication systems that use Distributed Hash Table algorithms for relay selection. We show that common design flaws in these schemes lead to highly effective attacks against the anonymity provided by the schemes. These attacks stem from attacks on DHT routing, and are not mitigated by the well-known DHT security mechanisms due to a fundamental mismatch between the security requirements of DHT routing's put/get functionality and anonymous routing's relay selection functionality. Our attacks essentially allow an adversary that controls only a small fraction of the relays to function as a global active adversary. We apply these attacks in more detail to two schemes: Salsa and Cashmere. In the case of Salsa, we show that an attacker that controls 10% of the relays in a network of size 10,000 can compromise more than 80% of all completed circuits; and in the case of Cashmere, we show that an attacker that controls 20% of the relays in a network of size 64000 can compromise 42% of the circuits.

[1]  Gene Tsudik,et al.  Mixing E-mail with Babel , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[2]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[4]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[5]  Peter Druschel,et al.  Pastry: Scalable, distributed object location and routing for large-scale peer-to- , 2001 .

[6]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[7]  Antony I. T. Rowstron,et al.  Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems , 2001, Middleware.

[8]  Robert Morris,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM 2001.

[9]  Robert Tappan Morris,et al.  Tarzan: a peer-to-peer anonymizing network layer , 2002, CCS '02.

[10]  Dan S. Wallach,et al.  A Survey of Peer-to-Peer Security Issues , 2002, ISSS.

[11]  Robert Tappan Morris,et al.  Security Considerations for Peer-to-Peer Distributed Hash Tables , 2002, IPTPS.

[12]  Dakshi Agrawal,et al.  Limits of Anonymity in Open Environments , 2002, Information Hiding.

[13]  Roger Dingledine,et al.  From a Trickle to a Flood: Active Attacks on Several Mix Types , 2002, Information Hiding.

[14]  Oliver Berthold,et al.  Dummy Traffic against Long Term Intersection Attacks , 2002, Privacy Enhancing Technologies.

[15]  Bernhard Plattner,et al.  Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection , 2002, WPES '02.

[16]  Miguel Castro,et al.  Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[17]  G Danezis,et al.  Statistical disclosure attacks: Traffic confirmation in open environments , 2003 .

[18]  Christian Grothoff,et al.  gap - Practical Anonymous Networking , 2003, Privacy Enhancing Technologies.

[19]  Micah Adler,et al.  Defending anonymous communications against passive logging attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[20]  Tianbo Lu,et al.  WonGoo: A Peer-to-Peer Protocol for Anonymous Communication , 2004, PDPTA.

[21]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[22]  Nick Feamster,et al.  Location diversity in anonymity networks , 2004, WPES '04.

[23]  Dan S. Wallach,et al.  AP3: cooperative, decentralized anonymous communication , 2004, EW 11.

[24]  Micah Adler,et al.  The predecessor attack: An analysis of a threat to anonymous communications systems , 2004, TSEC.

[25]  George Danezis,et al.  Statistical Disclosure or Intersection Attacks on Anonymity Systems , 2004, Information Hiding.

[26]  Yiming Hu,et al.  TAP: a novel tunneling approach for anonymity in structured P2P systems , 2004 .

[27]  George Danezis,et al.  The Traffic Analysis of Continuous-Time Mixes , 2004, Privacy Enhancing Technologies.

[28]  Antony I. T. Rowstron,et al.  Cashmere: resilient anonymous routing , 2005, NSDI.

[29]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[30]  Giuseppe Ciaccio,et al.  Improving Sender Anonymity in a Structured Overlay with Imprecise Routing , 2006, Privacy Enhancing Technologies.

[31]  George Danezis,et al.  Route Fingerprinting in Anonymous Communications , 2006, Sixth IEEE International Conference on Peer-to-Peer Computing (P2P'06).

[32]  Matthew K. Wright,et al.  Salsa: a structured approach to large-scale anonymity , 2006, CCS '06.

[33]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[34]  K. Wehrle,et al.  Core : A Peer-To-Peer Based Connectionless Onion Router , 2006 .

[35]  Sachin Katti,et al.  Information Slicing: Anonymity Using Unreliable Overlays , 2007, NSDI.

[36]  George Danezis,et al.  Denial of service or denial of security? , 2007, CCS '07.

[37]  Steven J. Murdoch,et al.  Sampled Traffic Analysis by Internet-Exchange-Level Adversaries , 2007, Privacy Enhancing Technologies.

[38]  G. Danezis,et al.  Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity , 2007 .

[39]  George Danezis,et al.  Bridging and Fingerprinting: Epistemic Attacks on Route Selection , 2008, Privacy Enhancing Technologies.

[40]  Angelos D. Keromytis,et al.  Identifying Proxy Nodes in a Tor Anonymization Circuit , 2008, 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems.

[41]  Prateek Mittal,et al.  Information leaks in structured peer-to-peer anonymous communication systems , 2008, CCS.

[42]  Ben Y. Zhao,et al.  Protecting anonymity in dynamic peer-to-peer networks , 2008, 2008 IEEE International Conference on Network Protocols.

[43]  Carmela Troncoso,et al.  Perfect Matching Disclosure Attacks , 2008, Privacy Enhancing Technologies.

[44]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2010, ACM Trans. Inf. Syst. Secur..