Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation

We introduce a novel remotely-mounted attack that can expose the network identity of an anonymous client, hidden service, and anonymizing proxies. To achieve this, we employ single-end controlled available bandwidth estimation tools and a colluding network entity that can modulate the traffic destined for the victim. To expose the circuit including the source, we inject a number of short or one large burst of traffic. Although timing attacks have been successful against anonymity networks, they require either a Global Adversary or the compromise of substantial number of anonymity nodes. Our technique does not require compromise of, or collaboration with, any such entity. To validate our attack, we performed a series of experiments using different network conditions and locations for the adversaries on both controlled and real-world Tor circuits. Our results demonstrate that our attack is successful in controlled environments. In real-world scenarios, even an under-provisioned adversary with only a few network vantage points can, under certain conditions, successfully identify the IP address of both Tor users and Hidden Servers. However, Tor's inherent circuit scheduling results in limited quality of service for its users. This at times leads to increased false negatives and it can degrade the performance of our circuit detection. We believe that as high speed anonymity networks become readily available, a well-provisioned adversary, with a partial or inferred network "map", will be able to partially or fully expose anonymous users.

[1]  Ian Goldberg,et al.  Improving Tor using a TCP-over-DTLS Tunnel , 2009, USENIX Security Symposium.

[2]  B. Cheswick,et al.  The Internet mapping project , 1998 .

[3]  Ren Wang,et al.  TCP Westwood: congestion window control using bandwidth estimation , 2001, GLOBECOM'01. IEEE Global Telecommunications Conference (Cat. No.01CH37270).

[4]  Angelos D. Keromytis,et al.  LinkWidth: A Method to measure Link Capacity and Available Bandwidth Using Single-End Probes , 2006 .

[5]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[6]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[7]  Zhen Ling,et al.  One Cell is Enough to Break Tor's Anonymity , 2009 .

[8]  Nicholas Hopper,et al.  How much anonymity does network latency leak? , 2007, TSEC.

[9]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[10]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[11]  Dirk Grunwald,et al.  Low-resource routing attacks against tor , 2007, WPES '07.

[12]  Arun Venkataramani,et al.  iPlane: an information plane for distributed services , 2006, OSDI '06.

[13]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[14]  Dogan Kesdogan,et al.  Measuring Anonymity: The Disclosure Attack , 2003, IEEE Secur. Priv..

[15]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[16]  Kevin Borders,et al.  Web tap: detecting covert web traffic , 2004, CCS '04.

[17]  Sebastian Zander,et al.  An Improved Clock-skew Measurement Technique for Revealing Hidden Services , 2008, USENIX Security Symposium.

[18]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[19]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[20]  Angelos D. Keromytis,et al.  Identifying Proxy Nodes in a Tor Anonymization Circuit , 2008, 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems.

[21]  Angelos D. Keromytis,et al.  Approximating a Global Passive Adversary Against Tor , 2008 .

[22]  Roger Dingledine,et al.  A Practical Congestion Attack on Tor Using Long Paths , 2009, USENIX Security Symposium.

[23]  Sotiris Ioannidis,et al.  Compromising Anonymity Using Packet Spinning , 2008, ISC.

[24]  Anton Stiglic,et al.  Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems , 2001, Information Hiding.

[25]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.