![Page 1: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/1.jpg)
On Traffic Analysis in Tor
Guest Lecture, ELE 574 Communications Security and Privacy
Princeton University April 3rd, 2014
Dr. Rob Jansen U.S. Naval Research Laboratory [email protected]
![Page 2: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/2.jpg)
Anonymity with Tor
www.torproject.org
Internet overlay network
![Page 3: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/3.jpg)
Anonymity with Tor
~1 million daily users, ~5000 relays
Low latency system
![Page 4: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/4.jpg)
Traffic Correlation
![Page 5: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/5.jpg)
Traffic Correlation
![Page 6: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/6.jpg)
Traffic Correlation
![Page 7: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/7.jpg)
Traffic Correlation
![Page 8: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/8.jpg)
Traffic Correlation
![Page 9: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/9.jpg)
Traffic Correlation
The biggest threat to Tor’s anonymity
![Page 10: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/10.jpg)
Traffic Correlation
The biggest threat to Tor’s anonymity
• Is traffic correlation realistic?
• Who might be in these positions?
• Would a nation-state be willing to launch correlation attacks?
![Page 11: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/11.jpg)
Anonymity with Onion Routing
![Page 12: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/12.jpg)
Traffic Correlation
Entry, a.k.a. guard
Middle Exit
![Page 13: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/13.jpg)
Traffic Correlation
Clients are ‘locked in’ to guard relays
Entry, a.k.a. guard
Middle Exit
![Page 14: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/14.jpg)
Traffic Correlation
Entry, a.k.a. guard
Middle Exit
Exit relays support various
exit policies
![Page 15: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/15.jpg)
Traffic Correlation
![Page 16: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/16.jpg)
Traffic Correlation
![Page 17: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/17.jpg)
Traffic Correlation
• How does the volunteer resource model affect the vulnerability to correlation attacks?
![Page 18: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/18.jpg)
Outline
● Background ● Security against correlation (end-to-end)
– Metrics and methodology – Node adversaries – Link adversaries
● Correlation attacks (partial) – Stealthy throughput – Induced throttling
● Traffic admission control ● Congestion control
![Page 19: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/19.jpg)
Traffic Correlation
• How can one measure how vulnerable real clients on the real network are to traffic correlation?
![Page 20: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/20.jpg)
Traffic Correlation
• Is there a difference between targeted correlation and general surveillance?
![Page 21: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/21.jpg)
Security Metrics
Principles ● Probability distribution ● Measured on human timescales ● Based on real network and adversaries
![Page 22: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/22.jpg)
Security Metrics
Principles ● Probability distribution ● Measured on human timescales ● Based on real network and adversaries Metrics (Probability distributions) ● Time until first path compromise ● Number of path compromises for a given
user over given time period
![Page 23: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/23.jpg)
Approach: Overview
User Profiles
Path Simulator
Tor Network Data
Attack Analysis
PS
![Page 24: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/24.jpg)
Approach: User Profiles
Build a 20-minute trace of each activity.
Capture destinations/ports visited
Gmail/GChat
GCal/GDocs
Web search
IRC BitTorrent
Typical Chat File Sharing
Consider how users actually use Tor
![Page 25: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/25.jpg)
Approach: User Profiles
“Replay” traces to generate streams based on user behavior
Typical Chat File Sharing
• 2632 traces per week
• 205 destinations • 2 ports
• 135 traces per week
• 1 destinations • 1 port
• 6768 traces per week
• 171 destinations • 118 ports
![Page 26: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/26.jpg)
Approach: User Profiles
“Replay” traces to generate streams based on user behavior
Typical Chat File Sharing
• 2632 traces per week
• 205 destinations • 2 ports
• 135 traces per week
• 1 destinations • 1 port
• 6768 traces per week
• 171 destinations • 118 ports
• Is the user model accurate? • What are the challenges?
![Page 27: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/27.jpg)
User Behavior Affects Relay Selection
Port 443 HTTPS
Permitted by 93% of exits measured by bandwidth
BAD GOOD
Port 6523 Gobby Collaborative Editor
Permitted by 20% of exits measured by bandwidth
Some applications are not well-supported by Tor due to exit policies
![Page 28: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/28.jpg)
Approach: Tor Network Data Consider the Tor network as it changes over a long period of time:
• Relays join and leave • Bandwidth changes • Exit/Guard designations change
Hourly consensuses
Monthly server descriptors
Use Tor Project archives to obtain state of network over 3
to 6 months
![Page 29: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/29.jpg)
Combine User and Tor Network models using TorPS to produce the circuits Tor would use
PS
• Re-implements path selection • Based on Tor stable version (0.2.3.25) • Considers:
• Bandwidth weighting • Exit policies • Guards and guard rotation • Hibernation • /16 and family conflicts
• Omits effects of network performance
Tor Network Data & User Profiles
Generated Tor circuits
Approach: Simulate Tor with TorPS
![Page 30: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/30.jpg)
Approach: Overview
User Profiles
Path Simulator
Tor Network Data
Attack Analysis
PS
![Page 31: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/31.jpg)
Outline
● Background ● Security against correlation (end-to-end)
– Metrics and methodology – Node adversaries – Link adversaries
● Correlation attacks (partial) – Stealthy throughput – Induced throttling
● Traffic admission control ● Congestion control
![Page 32: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/32.jpg)
Node Adversary
![Page 33: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/33.jpg)
Node Adversary
Controls a fixed allotment of relays based on bandwidth budget
• We assume adversary has 100 MiB/s – comparable to large family of relays
• Adversaries apply 5/6th of bandwidth to guard relays and the rest to exit relays. (We found this to be the most effective allocation we tested.)
![Page 34: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/34.jpg)
Node Adversary
Controls a fixed allotment of relays based on bandwidth budget
• We assume adversary has 100 MiB/s – comparable to large family of relays
• Adversaries apply 5/6th of bandwidth to guard relays and the rest to exit relays. (We found this to be the most effective allocation we tested.)
• Is 100 MiB/s realistic for an adversary?
![Page 35: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/35.jpg)
October 2012 – March 2013
50% of clients use a compromised circuit in less than 70 days
Time to First Compromised Circuit
![Page 36: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/36.jpg)
Fraction of Compromised Streams
User behavior significantly affects
anonymity
October 2012 – March 2013
![Page 37: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/37.jpg)
Outline
● Background ● Security against correlation (end-to-end)
– Metrics and methodology – Node adversaries – Link adversaries
● Correlation attacks (partial) – Stealthy throughput – Induced throttling
● Traffic admission control ● Congestion control
![Page 38: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/38.jpg)
AS1 AS2 AS3 AS4 AS5
AS9
AS8
AS7 AS6
Network Adversary
![Page 39: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/39.jpg)
AS1 AS2 AS3 AS4 AS5
AS9
AS8
AS7 AS6
Network Adversary Autonomous Systems (ASes)
![Page 40: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/40.jpg)
AS1 AS2 AS3 AS4 AS5
AS9
AS8
AS7 AS6
Network Adversary Internet
Exchange Points (IXPs)
![Page 41: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/41.jpg)
AS1 AS2 AS3 AS4 AS5
AS9
AS8
AS7 AS6
• Adversary has fixed location • Adversary may control multiple entitites
Network Adversary
![Page 42: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/42.jpg)
AS1 AS2 AS3 AS4 AS5
AS9
AS8
AS7 AS6
• Adversary has fixed location • Adversary may control multiple entitites
Network Adversary
• Should most users be concerned with a network adversary?
![Page 43: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/43.jpg)
Simulating a Network Adversary
1 44
11 2 23
Build AS-level Graph
(CAIDA)
![Page 44: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/44.jpg)
Simulating a Network Adversary
1 44
11 2 23
Build AS-level Graph
(CAIDA)
Place points of interest
(Maxmind, traces)
![Page 45: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/45.jpg)
Simulating a Network Adversary
1 44
11 2 23
Build AS-level Graph
(CAIDA)
Place points of interest
(Maxmind, traces)
Find AS-level routes
(Gao’02, CAIDA)
![Page 46: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/46.jpg)
Selecting Network Adversaries
1. Rank each AS/IXP for each client location by frequency on entry or exit paths;
2. Exclude src/dst ASes (compromises nearly all paths); and
3. Assign adversary to top k ASes or IXPs
![Page 47: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/47.jpg)
January 2013 – March 2013
Location matters.
Adversary Controls One AS
“best”/“worst” denote most/least
secure client
![Page 48: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/48.jpg)
January 2013 – March 2013
Adversary Controls One IXP Organization
“best”/“worst” denote most/least
secure client
![Page 49: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/49.jpg)
January 2013 – March 2013
Adversary Controls One IXP Organization
“best”/“worst” denote most/least
secure client • How can a user determine their
safety? How can they become safer?
![Page 50: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/50.jpg)
Traffic Correlation
• What if the adversary only controls one of the ends?
![Page 51: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/51.jpg)
Outline
● Background ● Security against correlation (end-to-end)
– Metrics and methodology – Node adversaries – Link adversaries
● Correlation attacks (partial) – Stealthy throughput – Induced throttling
● Traffic admission control ● Congestion control
![Page 52: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/52.jpg)
Traffic Correlation: Throughput
Mittal et.al. CCS’11
Adversary runs malicious exit
![Page 53: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/53.jpg)
Traffic Correlation: Throughput
Mittal et.al. CCS’11
Client downloads through circuit
![Page 54: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/54.jpg)
Traffic Correlation: Throughput
Mittal et.al. CCS’11
Probes download through all guards
![Page 55: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/55.jpg)
Traffic Correlation: Throughput
Mittal et.al. CCS’11
Correlate change in throughput at exit
with change in throughput at probes
![Page 56: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/56.jpg)
Traffic Correlation: Throughput
Mittal et.al. CCS’11
Correlate change in throughput at exit
with change in throughput at probes
• How is this attack “stealthy”?
![Page 57: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/57.jpg)
Outline
● Background ● Security against correlation (end-to-end)
– Metrics and methodology – Node adversaries – Link adversaries
● Correlation attacks (partial) – Stealthy throughput – Induced throttling
● Traffic admission control ● Congestion control
![Page 58: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/58.jpg)
Tor != Internet
● Specialized Tor performance enhancements – Reducing load: traffic admission control – Reducing load, improving utilization: congestion control
![Page 59: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/59.jpg)
Traffic Admission Control
![Page 60: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/60.jpg)
Traffic Admission Control
• Which connections? • At what rate?
![Page 61: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/61.jpg)
Traffic Admission Control
• Which connections? • At what rate?
Sybil attack!
![Page 62: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/62.jpg)
Traffic Admission Control
![Page 63: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/63.jpg)
Traffic Admission Control
• Sybil attack (connect only)
Geddes et.al. PETS’13
![Page 64: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/64.jpg)
Traffic Admission Control
Throughput drops to throttle rate Geddes et.al.
PETS’13
![Page 65: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/65.jpg)
Traffic Admission Control
• Disconnect sybils
Geddes et.al. PETS’13
![Page 66: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/66.jpg)
Traffic Admission Control
Throughput increases Geddes et.al.
PETS’13
![Page 67: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/67.jpg)
Traffic Admission Control
Throughput increases Geddes et.al.
PETS’13
• Is this attack “stealthy”?
![Page 68: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/68.jpg)
Induced Throttling Prototype bitsplit flag
threshold
Geddes et.al. PETS’13
![Page 69: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/69.jpg)
Tor != Internet
● Specialized Tor performance enhancements – Reducing load: traffic admission control – Reducing load, improving utilization: congestion control
![Page 70: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/70.jpg)
Congestion Control
50 cells (max 500)
![Page 71: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/71.jpg)
Congestion Control
SENDME
50 cells (max 500)
![Page 72: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/72.jpg)
Congestion Control
500 cells
Geddes et.al. PETS’13
![Page 73: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/73.jpg)
Congestion Control
500 cells
Throughput drops to 0 Geddes et.al.
PETS’13
![Page 74: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/74.jpg)
Congestion Control
500 cells
SENDME
Geddes et.al. PETS’13
![Page 75: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/75.jpg)
Congestion Control
500 cells
SENDME
Throughput increases Geddes et.al.
PETS’13
![Page 76: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/76.jpg)
Congestion Control
500 cells
SENDME
Throughput increases Geddes et.al.
PETS’13
• Is this attack “stealthy”?
![Page 77: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/77.jpg)
Induced Throttling Prototype
Geddes et.al. PETS’13
![Page 78: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/78.jpg)
Induced Throttling Results
Raw throughput
Smoothed throughput
Geddes et.al. PETS’13
![Page 79: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/79.jpg)
Outline
● Background ● Security against correlation (end-to-end)
– Metrics and methodology – Node adversaries – Link adversaries
● Correlation attacks (partial) – Stealthy throughput – Induced throttling
● Traffic admission control ● Congestion control
![Page 80: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/80.jpg)
Traffic Correlation
• How might we defend against ALL traffic correlation attacks?
![Page 82: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/82.jpg)
Conclusion ● Presented a realistic and comprehensive analysis of Tor’s
security against traffic correlation ● User behavior/location heavily affects anonymity against realistic
adversaries ● An adversary with 100 MiB/s of bandwidth has a >50% probability
of de-anonymizing the average Tor user within 3 months
● Open Questions: – Does the current Tor guard rotation period hurt anonymity? – Are there ways to select relays that can avoid adversaries?
82
![Page 83: On Traffic Analysis in Tor - Rob Jansen...2014/04/03 · GCal/GDocs Facebook Web search IRC BitTorrent Typical Chat File Sharing Consider how users actually use Tor Approach: User](https://reader033.vdocuments.site/reader033/viewer/2022042407/5f20fe2c57a5824b111fa76d/html5/thumbnails/83.jpg)
Tor is Efficient: ~65% Utilization