Tor is currently one of the more popular systems for anonymizing near real-time communications on the Internet. Recently, Borisov et al. proposed a denial of service based attack on Tor (and related systems) that significantly increases the probability of compromising the anonymity provided. In this paper, we analyze the effectiveness of the attack using both an analytic model and simulation. We also describe two algorithms for detecting such attacks, one deterministic and proved correct, the other probabilistic and verified in simulation.
A low-latency anonymous communication system attempts to allow near-real-time communication between hosts while hiding the identity of these hosts from various types of observers (including each other). Such a system is useful whenever communication privacy is desirable -personal, medical, legal, governmental, or financial applications all may require some degree of privacy. Dingledine, Mathewson, and Syverson [2004a] developed the Onion Routing network Tor for such communication. Tor anonymizes communication by sending it along paths of anonymizing proxies, encrypting messages in layers so that each proxy only knows its neighbors in the path. Syverson et al. [2000] showed that such systems are vulnerable to a passive adversary (one who does not modify traffic in any way) who controls the first and last proxies along such a path; roughly speaking, the attack involves a cross-correlation of timing data. Active attacks, and in particular, denial of service (DoS) attacks, can increase the power of an otherwise limited attacker. For example, Dingledine, Shmatikov, and Syverson [2004b] analyzed the impact of DoS on different configurations of mix networks. The Crowds design paper Reiter and Rubin [1998] examined the impact of circuit interruptions on anonymity. And the original Tor design paper describes various denial of service attacks. More recently, Borisov et al. [2007] showed that an adversary willing to engage in denial of service (DoS) could increase her probability of compromising anonymity. When a path is reconstructed after a denial of service, new proxies are chosen, and thus the adversary has another chance to be on the endpoints of the path.
In this paper we analyze the denial-of-service attack in detail and propose two detection algorithms. 1 In Section 2 we give a careful description of the attack in terms of a number of parameters that the attacker might vary to avoid detection (our model includes Borisov et al.’s attacker and the passive attacker as special cases). In Section 3 we assess the effectiveness of the attacker as a function of these parameters. We compare our analytic results to a simulation of the attacker based on replaying data collected from the deployed Tor network. In Section 4 we prove that an adversary engaging in the DoS attack in an idealized Tor-like system can be detected by probing at most 3n paths in the system, where n is the number of proxies in the system. We give a more practical algorithm in Section 5, implement it in simulation, and show that it detects DoS attackers with low error rate. In Section 6 we discuss attackers that do not fit our model perfectly and show how our detection algorithms might cope with such attackers. In Section 7 we discuss issues related to deploying the detection algorithms we describe. Finally, attacking and defending anonymity networks is an arms race; in Section 8 we discuss other attempts to detect and defend against various kinds of attacks. In particular, we compare our more practical detection algorithm to the “client-level” algorithm for avoiding compromised tunnels described by Das and Borisov [2011] in that section.
We model the Tor network with a fully connected undirected graph. 2 The vertices of the graph represent the Tor nodes (or relays), and the edges represent network connections between nodes. We define n to be the number of vertices. For a DoS attack, we assume that the attacker controls some subset of the relays; we may also use the term compromised to describe such relays.
A Tor client creates circuits (also referred to as paths or tunnels) consisting of three nodes; in our model, this equates to a path containing three vertices (in order) and the corresponding edges between them. The first node is referred to as the entry node and the last as the exit node. Application level communications between an initiator and a responder are then passed through the circuit. We assume that if the adversary controls the entry and exit nodes on a circuit, then she can in fact determine whether or not the traffic passing through the entry node is the same as the traffic passing through the exit node (and hence she can match the initiator with the recipient of the traffic). An early version of such an attack is given by Levine et al. [2004] and a more sophisticated version by Murdoch and Zieliński [2007]. A circuit is compromised if at least one node on the 1 We reported on preliminary results in Danner et al. [2009].
2 Some individual Tor nodes may disable connections on specific ports or to specific IP addresses. We have not determined if these significantly limit the graph.
circuit is compromised and the circuit is controlled if both the entry and exit nodes are compromised. Syverson et al. [2000] observe that if all nodes may act as exit nodes, then a passive adversary controls a circuit with probability c 2 n 2 , where c is the number of nodes controlled by the attacker. Since controlling middle nodes is of little use, we
This content is AI-processed based on open access ArXiv data.
