Detecting Traffic Snooping in Tor Using Decoys

Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.

[1]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[2]  Wouter Joosen,et al.  HProxy: Client-Side Detection of SSL Stripping Attacks , 2010, DIMVA.

[3]  AndersonThomas,et al.  Privacy-preserving P2P data sharing with OneSwarm , 2010 .

[4]  Dirk Grunwald,et al.  Shining Light in Dark Places: Understanding the Tor Network , 2008, Privacy Enhancing Technologies.

[5]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[6]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[7]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[8]  J. Yuill,et al.  Honeyfiles: deceptive files for intrusion detection , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[9]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.

[10]  Clifford Stoll,et al.  Stalking the wily hacker , 1988, CACM.

[11]  Vern Paxson,et al.  Detecting Forged TCP Reset Packets , 2009, NDSS.

[12]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[13]  A.D. Keromytis,et al.  Mediated overlay services (MOSES): Network security as a composable service , 2007, 2007 IEEE Sarnoff Symposium.

[14]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[15]  Salvatore J. Stolfo,et al.  Baiting Inside Attackers Using Decoy Documents , 2009, SecureComm.

[16]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[17]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[18]  Bart De Decker,et al.  Communications and Multimedia Security , 2011, Lecture Notes in Computer Science.

[19]  Salvatore J. Stolfo,et al.  Automating the injection of believable decoys to detect snooping , 2010, WiSec '10.

[20]  Malek Ben Salem,et al.  Designing Host and Network Sensors to Mitigate the Insider Threat , 2009, IEEE Security & Privacy.

[21]  Edgar R. Weippl,et al.  Tor HTTP Usage and Information Leakage , 2010, Communications and Multimedia Security.

[22]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[23]  C. Stoll The Cuckoo's Egg : Tracking a Spy Through the Maze of Computer Espionage , 1990 .

[24]  Thomas E. Anderson,et al.  Privacy-preserving P2P data sharing with OneSwarm , 2010, SIGCOMM '10.

[25]  Christian Grothoff,et al.  gap - Practical Anonymous Networking , 2003, Privacy Enhancing Technologies.

[26]  Jon Postel Book Review: The Cuckoo's Egg:Tracking a Spy through the Maze of Computer Espionage by Clifford Stoll (Doubleday 1989) , 1989, CCRV.

[27]  Tomaz Klobucar,et al.  Privacy-Enhancing Technologies - approaches and development , 2003, Comput. Stand. Interfaces.

[28]  SpitznerLance The Honeynet Project , 2003, S&P 2003.