A novel packet size based covert channel attack against anonymizer

Anonymizer is a proprietary anonymous communication system. We discovered its architecture and found that the size of web packets through Anonymizer are very dynamic at the client. Motivated by this finding, we investigated a novel packet size based covert channel attack, against the anonymity service. In the attack, one attacker manipulates the web packet size between the web server and Anonymizer and embed signal symbols into the target traffic. An accomplice at the user side can sniff the traffic and recognize the secret signal. We developed intelligent and robust algorithms to cope with the packet size distortion incurred by Anonymizer and Internet. We developed several techniques to make the attack harder to detect: (i) We pick up right packets of web objects to manipulate in order to preserve the regularity of the TCP packet size dynamics; (ii) We adopt the Monte Carlo sampling technique to preserve the distribution of the web packet size despite manipulation. We have implemented the attack over Anonymizer and conducted extensive analysis and experimental evaluations. It is observed that the attack is highly efficient and requires only tens of packets to compromise the anonymous web surfing. The experimental results are consistent with our theoretical analysis.

[1]  Lawrence E. Bassham,et al.  Randomness Testing of the Advanced Encryption Standard Finalist Candidates , 2000 .

[2]  Gaurav Shah,et al.  Keyboards and Covert Channels , 2006, USENIX Security Symposium.

[3]  Matthew K. Wright,et al.  Timing Attacks in Low-Latency Mix Systems (Extended Abstract) , 2004, Financial Cryptography.

[4]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[5]  B. Mandelbrot,et al.  Fractional Brownian Motions, Fractional Noises and Applications , 1968 .

[6]  Riccardo Bettati,et al.  Analytical and empirical analysis of countermeasures to traffic analysis attacks , 2003, 2003 International Conference on Parallel Processing, 2003. Proceedings..

[7]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[9]  Sushil Jajodia,et al.  Model-Based Covert Timing Channels: Automated Modeling and Evasion , 2008, RAID.

[10]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[11]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[12]  Roger Dingledine,et al.  A Practical Congestion Attack on Tor Using Long Paths , 2009, USENIX Security Symposium.

[13]  Jan Beran,et al.  Statistics for long-memory processes , 1994 .

[14]  Weijia Jia,et al.  A new cell counter based attack against tor , 2009, CCS.

[15]  Tatu Ylönen,et al.  The Secure Shell (SSH) Connection Protocol , 2006, RFC.

[16]  Dirk Grunwald,et al.  Low-resource routing attacks against tor , 2007, WPES '07.

[17]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[18]  Tatu Ylönen,et al.  The Secure Shell (SSH) Authentication Protocol , 2006, RFC.

[19]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[20]  Hyoung-Kee Choi,et al.  A behavioral model of Web traffic , 1999, Proceedings. Seventh International Conference on Network Protocols.

[21]  Lili Qiu,et al.  Statistical identification of encrypted Web browsing traffic , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[22]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[23]  H. E. Hurst,et al.  Long-Term Storage Capacity of Reservoirs , 1951 .

[24]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[25]  Xuxian Jiang,et al.  A First Step towards Live Botmaster Traceback , 2008, RAID.

[26]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[27]  Maruti Gupta,et al.  A NEW TRAFFIC MODEL FOR CURRENT USER WEB BROWSING BEHAVIOR , 2007 .

[28]  Charles V. Wright,et al.  Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[29]  Carla E. Brodley,et al.  IP covert timing channels: design and detection , 2004, CCS '04.

[30]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[31]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[32]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[33]  Charles V. Wright,et al.  Traffic Morphing: An Efficient Defense Against Statistical Traffic Analysis , 2009, NDSS.

[34]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[35]  Nikita Borisov,et al.  Multi-flow Attacks Against Network Flow Watermarking Schemes , 2008, USENIX Security Symposium.

[36]  R. Hilgers,et al.  Parameter , 2019, Springer Reference Medizin.

[37]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[38]  Charles V. Wright,et al.  Language Identification of Encrypted VoIP Traffic: Alejandra y Roberto or Alice and Bob? , 2007, USENIX Security Symposium.