Balancing the shadows

In this paper, we examine the ShadowWalker peer-to-peer anonymity scheme. ShadowWalker attempts to provide anonymity via circuits built using random walks over a secured topology. ShadowWalker's topology is secured through the use of shadows, peers that certify another node's routing information. We demonstrate two flaws in ShadowWalker. First, an attacker can compromise the underlying topology of ShadowWalker as a result of an insufficient numbers of shadows. We show that the failure of the underlying topology directly results in the failure of ShadowWalker to provide anonymity guarantees. Second, the dependence on untrusted nodes to certify other nodes allows an attacker to launch a selective denial of service attack. We show that there is an inherent tension between protecting against these two attacks: weakening the first attack strengthens the second attack and vice versa. We introduce a mechanism that generalizes ShadowWalker's lookup defense, and show that this mechanism can be tuned to simultaneously provide strong protection against both these attacks. Last, we implement ShadowWalker and provide performance measurements from a prototype deployment on PlanetLab.

[1]  Dan S. Wallach,et al.  AP3: cooperative, decentralized anonymous communication , 2004, EW 11.

[2]  Ben Y. Zhao,et al.  Protecting anonymity in dynamic peer-to-peer networks , 2008, 2008 IEEE International Conference on Network Protocols.

[3]  Nicholas Hopper,et al.  Scalable onion routing with torsk , 2009, CCS.

[4]  Miguel Castro,et al.  Defending against eclipse attacks on overlay networks , 2004, EW 11.

[5]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[6]  Prateek Mittal,et al.  ShadowWalker: peer-to-peer anonymous communication using redundant structured topologies , 2009, CCS.

[7]  George Danezis,et al.  Bridging and Fingerprinting: Epistemic Attacks on Route Selection , 2008, Privacy Enhancing Technologies.

[8]  Miguel Castro,et al.  Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[9]  David Mazières,et al.  Kademlia: A Peer-to-Peer Information System Based on the XOR Metric , 2002, IPTPS.

[10]  Nicholas Hopper,et al.  Hashing it out in public: common failure modes of DHT-based anonymity schemes , 2009, WPES '09.

[11]  Antony I. T. Rowstron,et al.  Pastry: Scalable, Decentralized Object Location, and Routing for Large-Scale Peer-to-Peer Systems , 2001, Middleware.

[12]  David R. Karger,et al.  Koorde: A Simple Degree-Optimal Distributed Hash Table , 2003, IPTPS.

[13]  Antony I. T. Rowstron,et al.  Cashmere: resilient anonymous routing , 2005, NSDI.

[14]  Matthew K. Wright,et al.  Salsa: a structured approach to large-scale anonymity , 2006, CCS '06.

[15]  Prateek Mittal,et al.  Information leaks in structured peer-to-peer anonymous communication systems , 2008, CCS.

[16]  Yiming Hu,et al.  TAP: a novel tunneling approach for anonymity in structured P2P systems , 2004 .

[17]  Robert Tappan Morris,et al.  Tarzan: a peer-to-peer anonymizing network layer , 2002, CCS '02.

[18]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[19]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[20]  David R. Karger,et al.  Chord: A scalable peer-to-peer lookup service for internet applications , 2001, SIGCOMM '01.

[21]  Bernhard Plattner,et al.  Introducing MorphMix: peer-to-peer based anonymous Internet usage with collusion detection , 2002, WPES '02.

[22]  George Danezis,et al.  Denial of service or denial of security? , 2007, CCS '07.

[23]  Krishna P. Gummadi,et al.  The impact of DHT routing geometry on resilience and proximity , 2003, SIGCOMM '03.