Securing Anonymous Communication Channels under the Selective DoS Attack Anupam Das , Nikita Borisov University of Illinois at Urbana-Champaign (UIUC) FC 2013 11/23/2018

Outline Anonymous Communication (Tor) Selective DoS attack Our Detection Mechanism Evaluation Conclusion 11/23/2018

Anonymous Communication Hides user identity and defends users against internet surveillance and traffic analysis. The most widely used anonymity network is Tor ~3000 Tor Relays ~500,000 Users daily 11/23/2018

How Tor Works Tor Relay Encrypted link M M M M Unencrypted link originally sponsored by the US Naval Research Laboratory Since 2006 has been it’s own nonprofit organization Tor protects user identity by bouncing communications around a distributed network of relays run by volunteers all around the world. Tor circuit /tunnel is built incrementally one hop by one hop Layered encryption is used Each router knows only its predecessor and successor 11/23/2018

Threats in Tor Probability of circuits being compromised: Tor relays are run by volunteers. So they can be malicious. Anonymity broken Probability of circuits being compromised: Assuming t fraction of the bandwidth is controlled by a malicious authority. 11/23/2018

Selective DoS in Tor C- Compromised H- Honest Relay Not Dropped Entry Middle Exit H C Entry Middle Exit C H Dropped 11/23/2018

Impact of Selective DoS Under Normal Condition: Under Selective DoS: 11/23/2018

Our Goal Design a detection mechanism that can distinguish compromised circuits from non-compromised circuits. We propose a 2-phase probing algorithm. Generate candidate circuits Identify potentially compromised circuits Threat Model: Small fraction (~20%) of relays are compromised Compromised relays perform selective DoS attack. 11/23/2018

Our Detection Mechanism Phase 1. Generate N working Tor circuits and test the reliability of the circuits by retrieving a web page through the circuit. Entry Middle Exit H C Entry Middle Exit H C Test reliability Circuits that survive 1st phase and passed onto the 2nd phase 11/23/2018

Our Detection Mechanism Phase 2. For each circuit choose K other random exit and middle relays. Test reliability of the modified circuits. Test Reliability Modified Circuits Entry Middle Exit Hi Hj Hk . Cm Cn Cp Ca Hb Cc Entry Middle Exit Hi Hb Cp Hi Cp Repeat the process K times for each circuit. Hb For each circuit keep track of the no. of success M IF(M>=Threshold) classify as potentially honest circuit 11/23/2018

Probabilistic Analysis Assuming t fraction of the bandwidth is controlled by a malicious authority. (t≈20%) Entry Middle Exit C H For t=0.2, (1-t)3 >> t2 So majority of the circuits in the second phase are honest. Therefore compromised circuits should have low success rate after circuit modification. 11/23/2018

Complex Attacks What if compromised nodes don’t always drop to avoid detection? We consider 2 types of dropping strategy- Random drop Strategic drop Entry Middle Exit H C Random Drop: Drops with probability d Strategic Drop: Don’t drop circuits of form XXC as they are helpful in the 2nd phase 11/23/2018

Disguising Probes To make probes indistinguishable from user traffic we adopt the following strategies- Use popular websites as probing destination Alexa lists the top popular websites Replay non-sensitive browsing history as probes Randomize the middle relay from the set of (N-1) available relays after phase 1 11/23/2018

Evaluation Simulation setup: We evaluate our approach through both simulation and real world experiments. Simulation setup: Gathered Tor node info from torstatus.blutmagie.de/ Randomly assigned 20% bandwidth to be compromised. To approximate the failure rate present in the current Tor network we take the help of TorFlow project [Torflow project. https://gitweb.torproject.org/torflow.git] We generate 10,000 Tor circuits and record their failure rate. Average failure rate after 10 run was found to be approximately 23%. 11/23/2018

Simulation Results As drop rate d increases the probability of selecting a compromised circuits decreases 11/23/2018

Fraction of compromised guards Pr(not compromised) (Conventional Tor) Real World Experiments We use Emulab and PlanetLab machines for our experimental setup. 11 Emulab machines= 10 run Tor protocol (20Kbps)+1 acted as server (gathering timing info from the other 10 machines) [Bauer et al. WPES 07] Extracted 40 other regular Tor node and added our 10 compromised nodes (t=20%). Use PlanetLab machines as clients. Fraction of compromised guards Pr(not compromised) Pr(not compromised) (Conventional Tor) 1.0 1/3 0.867 2/3 0.843 0.612 1 0.0 For implementing selective-DoS we take an approach similar to the one described by Bauer et al. (WPES 07). We modify Tor source code tor-0.2.2.35. 11/23/2018

Overhead Approximation Each usable circuit requires 4 probes Each probe size is 300KB (avg. size of the most popular web pages) So the total traffic used by a single user every one hour is (6*3*300*4)KB≈21MB Currently, Tor’s Bandwidth capacity = 3.21GB/s Approximately 5% of the bandwidth can be used to satisfy the current peak demand 11/23/2018

Related Work Danner et al. [FC 2009] proposed a probing technique where they create O(n*l) circuits to identify compromised relays. [where n= no. of relays, l=no. of times each probe is repeated] However, They don’t consider strategic adaptation by malicious nodes like random dropping. More suitable as a centralized approach. Otherwise it would not be scalable. Probes might be more easier to distinguish. Mike Perry (Tor Performance Developer) recently proposed: Client-side accounting mechanism that tracks the circuit failure rate for each of the client’s entry nodes. 11/23/2018

Conclusion Our detection algorithm filters out potentially compromised Tor circuits with high probability. We also show that adaptive adversaries who choose to deny service probabilistically do not benefit from adopting such strategy. Future Work: Can we lower the cost of probing/overhead? Can we not use probing at all? Maybe use historical data 11/23/2018

Questions 11/23/2018