detecting traffic snooping in tor using decoys
Post on 25-Feb-2016
46 Views
Preview:
DESCRIPTION
TRANSCRIPT
報告者 : 張逸文
DETECTING TRAFFIC SNOOPING IN TOR USING DECOYS
RAID 2011Sanbuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis, Angilos D. KeronytisColumbia University, NY, USA
2 OUTLINE
1. Introduction
2. Background
3. System Architecture
4. Deployment Results
5. Discussion and Future work
6. Related work
7. Conclusion
3INTRODUCTION ( 1/
2) Anonymity and privacy-preserving systems
Tor [15], , Anonymizer
Operating by routing user traffic through a single or multiple proxies, often using layered encryption schemes
Absence of end-to-end encryption
Man-in-the-middle attacks
HTTPS switch to plain HTTP
4INTRODUCTION ( 2/
2) Using decoy traffic to detect eavesdropping in
proxying architectures and in particular anonymous communication systems
Other uses of decoy traffic: unprotected wireless network [9], warn of insider threats [8]
Multiple “bait” credentials for IMAP and SMTP servers
5 BACKGROUND
Tor Anonymity Network The most widely used low latency anonymity networks
Users can hide their IP => Hidden services
How it works?
Threat Model Malicious exit nodes
Extracting credentials, eavesdropping private information
Intercept the traffic of SSL connections
6SYSTEM
ARCHITECTURE ( 1/6) Approach
Network eavesdropping is a passive operation without observable effects
Credentials without application-layer encryption can be used by the eavesdropper => observable
We entice a prospective snooper to use intercepted decoy credentials for accessing a service under control
7 SYSTEM ARCHITECTURE( 2/6)
8SYSTEM
ARCHITECTURE( 3/6) Implementation
Choosing a set of services that
① are supported by a large number of Tor exit nodes
② support unencrypted authentication by a clear-text protocol
The number of Tor exit nodes that allowed the relaying of traffic through various TCP port numbers
IMAP(port 143) and SMTP (port 587) protocols
9SYSTEM
ARCHITECTURE( 4/6)
10SYSTEM
ARCHITECTURE( 5/6) Decoy Traffic Transmission and Eavesdropping
Detection
Client: implemented using Perl and service protocol emulation is provided by Net : : IMAPClient and Net : : SMTP modules
Client is hosted on Ubuntu Server Linux v8.04
The client creates one connection to each decoy server every day through each Tor exit node (supported)
An exit node ties with a set of credentials for each decoy service
11SYSTEM
ARCHITECTURE( 6/6) Decoy services: Courier IMAP v4.6.0 & Postfix
v2.7.0
Illegitimate connections are identified by logs recorded at client and server
Important implementation considerations
Time synchronization => Network Time Protocol
Amount and Quality of Decoy Traffic
The believability of the decoy traffic [9]
Eavesdropping Incident Verification
12 DEPLOYMENT RESULTS
August ,2010 ~ May ,2011
Ten traffic interception incidents all received by decoy IMAP server
Table 1.
Available bandwidth of the malicious exit nodes
Locations of the Tor exit nodes involved in the observed incidents
Geo-IP tool
13DISCUSSION AND FUTURE
WORK ( 1/4 ) Detection confidence
The ease of installing and operating a Tor exit node
The host system may lack of software patches / have poor security
Connecting back to the decoy server from the same exit node
Future work Using multiple replicas of the decoy servers scattered
in different networks and associate different sets of credentials
14DISCUSSION AND FUTURE
WORK ( 2/4 ) Decoy Traffic Credibility
Increasing the number and diversity of the innocuous email messages in SMTP traffic
Containing bait documents that would ping back to our system
Capturing network traces of protocol interactions using various real IMAP clients and servers
15DISCUSSION AND FUTURE
WORK ( 3/4 ) Detection of HTTP Session Hijacking
Some sites switch back to HTTP after the user has logged in
Users are ignorant about HTTPS
Attackers can steal the session cookie in the HTTP requests of authenticated users
Future work detecting HTTP session hijacking attacks by the use
of decoy accounts
16DISCUSSION AND FUTURE
WORK ( 4/4 ) Traffic Eavesdropping and Anonymity
Degradation
Reducing anonymity set
Eavesdropping Detection as a Network Service
Honeynet-based system
Used as an eavesdrop detection system
17RELATED
WORK( 1/2) Clifford Stoll
The Cuckoo’s Egg: trapping an intruder that broke into the systems of the Lawrence Berkeley National Laboratory
Honeypots have been extensively used for modeling, logging and analyzing attacks
Honeytokens
pieces of information. After the adversary release it, any subsequent use of if can clearly indicate unauthorized access
18RELATED
WORK( 2/2) Bowen et al.
WiFi traffic as a basis for the generation of decoy traffic with realistic network interactions
McCoy et al.
taking advantage of the IP address resolution functionality of network traffic capturing tools
The functionality may disabled by the eavesdropper
19 CONCLUSION
Applying decoy user credentials for the detection of traffic interception in anonymity network
Detected ten cases in which decoy credentials were used by a third-party to log in to servers under our control
How the proposed method can be extended for the detection of HTTP session hijacking attacks
20
Thanks & 金盾加油 !!
21
22
top related