CS590B/690B Detecting network interference (Spring 2018) Lecture 16 Phillipa Gill – Umass -- Amherst.
Where we are Last time: Internet routing review + timing attacks BGP hijacks/path asymmetry
Test your knowledge What is the goal of Tor? How does Tor accomplish this? How does Tor pick relays? What happens if you compromise.. The entry relay? The middle relay? The exit relay? What happens if the entry and exit relay collude? Why 3 hops? Why not 1? Why not 2? How does Tor avoid colluding relays from being chosen? Why are guards used? How are guards chosen? What meta data is used by Web site fingerprinting attacks? What is the premise behind Web site fingerprinting attacks?
Today Continuing with traffic analysis attacks. Readings: Users get routed Holding all the ASes
Review of attack criteria/ evaluation of potential in practice
Need to measure/infer network paths! Attack criteria Any AS that lies on the Forward OR Reverse path, between the Source and Entry … …AND Exit and Destination can execute the attack Challenge: How to measure and mitigate these attacks in practice? We can’t actually measure reverse paths… Also can’t traceroute through Tor Our approach: Use simulations on empirical AS graphs Consider all paths compliant with a model of routing policies Gives an approximation on potential attacks Middle relay Entry relay Exit relay Destination AS Source AS Need to measure/infer network paths! To make this more formal we say an attacker can perform a timing attack if they lay on the forward or reverse path between the client and entry, and forward OR reverse path between the exit and the destination. We wanted to understand how prevalent this sort of attack would be in practice, but we faced a nasty network measurement challenge which is that we can’t actually measure the reverse paths. We get around this by using simulations of routing policies on empirical AS graphs to understand the set of potential paths that may be chosen for these different routes. This gives us an upper bound on the number of adversaries there may be.
Understanding the threat to Tor Method: Use VPN to connect to 200 sites (100 popular, 100 likely censored) through Tor VPN end points located in 10 countries Examine AS-paths between source and destination and chosen entry/exit relays. Vulnerable sites (%) We use this idea to see how often Tor selects relays that are potentially subject to this timing attack. We used VPN end points in 10 countries and used them to access a set of 200 sites through Tor. We then looked at the paths between the client and entry, and exit and destinations to infer the potential for attack. This graph shows the fraction of web sites that had the circuit for their main page content be vulnerable to this attack and the faction that had any of their circuits vulnerable. More than half of the sites have at least some of their content delivered over a vulnerable circuit. One thing we notice here is that these numbers vary pretty widely between countries for example russia, us and china have more locally hosted content so it’s more likely they will have a path that crosses a national ISP going to the content, Variation between countries (e.g., US, Russia and China have most popular content hosted locally so more of their content is vulnerable). 53% of sites have at least some content delivered over a vulnerable Tor circuit
Astoria: Avoiding AS-level attackers Choose an entry/exit relay to avoid attackers Usually there is such an option Challenge: How to find the safe option? Path computations need to be done on the client Challenge: ASes may collude We resolve sibling ASes (e.g., 701, 702, 703 = Verizon) …and evaluate country-level adversaries Challenge: Minimize performance impact Cannot pre-construct circuits as in vanilla Tor Byproduct of destination-based relay selection Challenge: Don’t overload popular relays If there are multiple safe options load balance across them What are the paths? Which relay selection is safe? To mitigate these vulnerable circuits we propose Astoria. The basic idea is that if you have an entry-exit relay selection that will avoid a potential attacker you should choose it. Otherwise we use a linear program to choose relays probabilistically such that it minimizes the number of circuits an adversary could observe over time. Additional considerations of designing this system were that the path computations had to be done on the client, so we can’t send the destination out to some look up service. We also look at Ases owned by the same organization or under control of the same government. And we also work to be a good network citizen, so when there are multiple safe relay selection options we choose amongst them probabilistically using the same load balancing function as vanilla Tor.
What if there is no safe option? What if all relay selections contain at least one AS that can perform the timing attack? Astoria minimizes the amount any given attacker can learn Linear program Entry AS 1 1/3 ISP 1 can snoop with prob. 2/3 ISP 1 Source AS Entry AS 2 1/3 ISP 2 Entry AS 3 1/3
What if there is no safe option? What if all relay selections contain at least one AS that can perform the timing attack? Astoria minimizes the amount any given attacker can learn Linear program Entry AS 1 ISP 1 can snoop with prob. 1/2 1/4 ISP 1 Source AS Entry AS 2 1/4 ISP 2 Entry AS 3 1/2
Additional slides See this slide deck (Slides 21-26, for overview of Cipollino) https://www.dropbox.com/s/podehxeulk8xsbp/rishab-defense-2016.ppsx?dl=0 See this slide deck for an overview of the Users Get Routed reading: https://www.dropbox.com/s/ei8wse2zou537oi/L16-tor-users-routed-slides.pdf?dl=0