A New Cell-Counting-Based Attack Against Tor

Various low-latency anonymous communication systems such as Tor and Anonymizer have been designed to provide anonymity service for users. In order to hide the communication of users, most of the anonymity systems pack the application data into equal-sized cells (e.g., 512 B for Tor, a known real-world, circuit-based, low-latency anonymous communication network). Via extensive experiments on Tor, we found that the size of IP packets in the Tor network can be very dynamic because a cell is an application concept and the IP layer may repack cells. Based on this finding, we investigate a new cell-counting-based attack against Tor, which allows the attacker to confirm anonymous communication relationship among users very quickly. In this attack, by marginally varying the number of cells in the target traffic at the malicious exit onion router, the attacker can embed a secret signal into the variation of cell counter of the target traffic. The embedded signal will be carried along with the target traffic and arrive at the malicious entry onion router. Then, an accomplice of the attacker at the malicious entry onion router will detect the embedded signal based on the received cells and confirm the communication relationship among users. We have implemented this attack against Tor, and our experimental data validate its feasibility and effectiveness. There are several unique features of this attack. First, this attack is highly efficient and can confirm very short communication sessions with only tens of cells. Second, this attack is effective, and its detection rate approaches 100% with a very low false positive rate. Third, it is possible to implement the attack in a way that appears to be very difficult for honest participants to detect (e.g., using our hopping-based signal embedding).

[1]  Matthew K. Wright,et al.  Timing Attacks in Low-Latency Mix Systems (Extended Abstract) , 2004, Financial Cryptography.

[2]  Fouad A. Tobagi,et al.  Packet-level traffic measurements from a tier-1 ip backbone , 2001 .

[3]  Peng Ning,et al.  Tracing Traffic through Intermediate Hosts that Repacketize Flows , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[4]  Nikita Borisov,et al.  RAINBOW: A Robust And Invisible Non-Blind Watermark for Network Flows , 2009, NDSS.

[5]  Xinwen Fu,et al.  DSSS-Based Flow Marking Technique for Invisible Traceback , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[7]  Sergio Verdú,et al.  On channel capacity per unit cost , 1990, IEEE Trans. Inf. Theory.

[8]  Thomas Engel,et al.  Slotted Packet Counting Attacks on Anonymity Protocols , 2009, AISC.

[9]  Xinwen Fu,et al.  A New Replay Attack Against Anonymous Communication Networks , 2008, 2008 IEEE International Conference on Communications.

[10]  Peter Sewell,et al.  Passive Attack Analysis for Connection-Based Anonymity Systems , 2003, ESORICS.

[11]  Zhen Ling,et al.  One Cell is Enough to Break Tor's Anonymity , 2009 .

[12]  Charles V. Wright,et al.  Spot Me if You Can: Uncovering Spoken Phrases in Encrypted VoIP Conversations , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[13]  Zhen Ling,et al.  Equal-Sized Cells Mean Equal-Sized Packets in Tor? , 2011, 2011 IEEE International Conference on Communications (ICC).

[14]  Kevin S. Bauer,et al.  Low-Resource Routing Attacks Against Anonymous Systems , 2007 .

[15]  Charles V. Wright,et al.  Language Identification of Encrypted VoIP Traffic: Alejandra y Roberto or Alice and Bob? , 2007, USENIX Security Symposium.

[16]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[17]  Peng Ning,et al.  On the secrecy of timing-based active watermarking trace-back techniques , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[18]  Roger Dingledine,et al.  A Practical Congestion Attack on Tor Using Long Paths , 2009, USENIX Security Symposium.

[19]  Ian Goldberg,et al.  Improving Tor using a TCP-over-DTLS Tunnel , 2009, USENIX Security Symposium.

[20]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[21]  LingZhen,et al.  A new cell-counting-based attack against Tor , 2012 .

[22]  Vitaly Shmatikov,et al.  Timing Analysis in Low-Latency Mix Networks: Attacks and Defenses , 2006, ESORICS.

[23]  Sushil Jajodia,et al.  Network Flow Watermarking Attack on Low-Latency Anonymous Communication Systems , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[24]  Zhen Ling,et al.  Cyber Crime Scene Investigations (C²SI) through Cloud Computing , 2010, 2010 IEEE 30th International Conference on Distributed Computing Systems Workshops.

[25]  Xinwen Fu,et al.  On performance bottleneck of anonymous communication networks , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[26]  Mike Perry,et al.  TorFlow: Tor Network Analysis , 2009 .

[27]  Sushil Jajodia,et al.  Tracking anonymous peer-to-peer VoIP calls on the internet , 2005, CCS '05.

[28]  Lili Qiu,et al.  Statistical identification of encrypted Web browsing traffic , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[29]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[30]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[31]  Nikita Borisov,et al.  Multi-flow Attacks Against Network Flow Watermarking Schemes , 2008, USENIX Security Symposium.

[32]  Riccardo Bettati,et al.  On Flow Marking Attacks in Wireless Anonymous Communication Networks , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[33]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[34]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[35]  Dirk Grunwald,et al.  Low-resource routing attacks against tor , 2007, WPES '07.

[36]  Brian Neil Levine,et al.  Inferring the source of encrypted HTTP connections , 2006, CCS '06.

[37]  Douglas S. Reeves,et al.  Robust correlation of encrypted attack traffic through stepping stones by manipulation of interpacket delays , 2003, CCS '03.

[38]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[39]  Dirk Grunwald,et al.  Shining Light in Dark Places: Understanding the Tor Network , 2008, Privacy Enhancing Technologies.