Novel and Practical SDN-based Traceback Technique for Malicious Traffic over Anonymous Networks

Diverse anonymous communication systems are widely deployed as they can provide the online privacy protection and Internet anti-censorship service. However, these systems are severely abused and a large amount of anonymous traffic is malicious. To mitigate this issue, we propose a novel and practical traceback technique to confirm the communication relationship between the suspicious server and the user. We leverage the software-defined network (SDN) switch at a destination server side to intercept target traffic towards the server and alter the advertised TCP window sizes so as to stealthily vary the traffic rate at the server. By carefully varying the traffic rate, we can successfully modulate a secret signal into the traffic. The traffic carrying the signal passes through the anonymous communication system and reaches the SDN switch at the user side. Then we can detect the modulated signal from the traffic so as to confirm the communication relationship between the server and the user. To validate the feasibility and effectiveness of our technique, extensive real-world experiments are performed using three popular anonymous communication systems, i.e., SSH tunnel, OpenVPN tunnel, and Tor. The results demonstrate that the detection rates approach 100% for SSH and Open VPN and 95% for Tor while the false positive rates are significantly low, approaching 0% for these three systems.

[1]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[2]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  Xuxian Jiang,et al.  A First Step towards Live Botmaster Traceback , 2008, RAID.

[4]  Weijia Jia,et al.  Novel Packet Size-Based Covert Channel Attacks against Anonymizer , 2013, IEEE Transactions on Computers.

[5]  Nikita Borisov,et al.  SWIRL: A Scalable Watermark to Detect Correlated Network Flows , 2011, NDSS.

[6]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[7]  Matthew K. Wright,et al.  Timing Attacks in Low-Latency Mix Systems (Extended Abstract) , 2004, Financial Cryptography.

[8]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[9]  Xinwen Fu,et al.  On performance bottleneck of anonymous communication networks , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[10]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[11]  Xiapu Luo,et al.  Exposing invisible timing-based traffic watermarks with BACKLIT , 2011, ACSAC '11.

[12]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Weijia Jia,et al.  A New Cell-Counting-Based Attack Against Tor , 2012, IEEE/ACM Transactions on Networking.

[14]  Brian Neil Levine,et al.  Statistical Detection of Downloaders in Freenet , 2017, IWPE@SP.

[15]  Ming Yang,et al.  Application-level attack against Tor's hidden service , 2011, 2011 6th International Conference on Pervasive Computing and Applications.

[16]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[17]  Zhen Ling,et al.  TorWard: Discovery of malicious traffic over Tor , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[18]  William Enck,et al.  PivotWall: SDN-Based Information Flow Control , 2018, SOSR.

[19]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[20]  Weijia Jia,et al.  A new cell counter based attack against tor , 2009, CCS.

[21]  S. Amuthavalli Robust Correlation of Encrypted Attack Traffic , 2017 .

[22]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[23]  Weijia Jia,et al.  Blind Detection of Spread Spectrum Flow Watermarks , 2009, INFOCOM 2009.

[24]  Nikita Borisov,et al.  Non-Blind Watermarking of Network Flows , 2012, IEEE/ACM Transactions on Networking.

[25]  Zhen Ling,et al.  Protocol-level hidden server discovery , 2013, 2013 Proceedings IEEE INFOCOM.

[26]  Alex Biryukov,et al.  Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization , 2013, 2013 IEEE Symposium on Security and Privacy.