Detecting Intruders and Preventing Hackers from Evasion by Tor Circuit Selection

The widely-used Tor network has become the most popular anonymous network that supports circuit-based lowlatency internet connections. However, recent security breach incidents reveal SSH have been used to launch attacks by malicious users. Although a server-side blocking mechanism which can identify SSH connections individually has been proposed, we have found that it is restricted to certain Tor circuit protocol versions and not for all SSH protocol implementations. The prior method is based on the difference of latency in the Tor network which may be subject to hacker manipulation by circuit selection in the Tor network. In this paper, we first present a set of attributes that can be used to detect SSH connection through Tor for all SSH handshake between client and server, by observing the network packets exchanges of the SSH protocol. In the second half of this paper, we show that the geographical location of the nodes in Tor circuit has an impact on the effectiveness of our metrics. If hackers know our detection algorithm, they may be able to evade the detection. We demonstrate the effectiveness of our attacks detection by analyzing multiple Tor circuit selections. Finally, we identify and evaluate our detection algorithm and demonstrate that our algorithm achieves 98% accuracy under the most stringent condition.

[1]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[2]  Steven J. Murdoch,et al.  Do You See What I See? Differential Treatment of Anonymous Users , 2016, NDSS.

[3]  Shou-Hsuan Stephen Huang,et al.  Per Connection Server-Side Identification of Connections via Tor , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[4]  Zhen Ling,et al.  One Cell is Enough to Break Tor's Anonymity , 2009 .

[5]  Martin Schmiedecker,et al.  NavigaTor: Finding Faster Paths to Anonymity , 2016, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).

[6]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[7]  Harsha V. Madhyastha,et al.  LASTor: A Low-Latency AS-Aware Tor Client , 2012, IEEE/ACM Transactions on Networking.

[8]  Shou-Hsuan Stephen Huang,et al.  Detecting Intruders Using a Long Connection Chain to Connect to a Host , 2011, 2011 IEEE International Conference on Advanced Information Networking and Applications.

[9]  Shou-Hsuan Stephen Huang,et al.  Detecting stepping-stones under the influence of packet jittering , 2013, 2013 9th International Conference on Information Assurance and Security (IAS).

[10]  Charles Kozierok,et al.  The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference , 2005 .

[11]  Rena S. Miller,et al.  The Target and Other Financial Data Breaches: Frequently Asked Questions , 2015 .

[12]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.