Abstract
Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, when the relayed traffic reaches the boundaries of the network, toward its destination, the original user traffic is inevitably exposed to the final node on the path. As a result, users transmitting sensitive data, like authentication credentials, over such networks, risk having their data intercepted and exposed, unless end-to-end encryption is used. Eavesdropping can be performed by malicious or compromised relay nodes, as well as any rogue network entity on the path toward the actual destination. Furthermore, end-to-end encryption does not assure defense against man-in-the-middle attacks. In this work, we explore the use of decoys at multiple levels for the detection of traffic interception by malicious nodes of proxy-based anonymous communication systems. Our approach relies on the injection of traffic that exposes bait credentials for decoy services requiring user authentication, and URLs to seemingly sensitive decoy documents which, when opened, invoke scripts alerting about being accessed. Our aim was to entice prospective eavesdroppers to access our decoy servers and decoy documents, using the snooped credentials and URLs. We have deployed our prototype implementation in the Tor network using decoy IMAP, SMTP, and HTTP servers. During the course of over 30 months, our system has detected 18 cases of traffic eavesdropping that involved 14 different Tor exit nodes.
Similar content being viewed by others
Notes
A TCP-based service can keep its IP address hidden (and thus its identity) by replacing the IP address with a hidden service URL. These URLs end in a virtual top-level domain called “.onion” and are resolved by a Tor clients while initiating connection to the hidden service.
In contrast to SMTP relay (port 25), SMTP through port 587 is dedicated to message submission for delivery only for users that have registered accounts on the server.
In other words, for each exit node that allows access to IMAP, we created a unique username and password. This unique association of the exit node and the exposed user credential helps identify the eavesdropping exit nodes that snoop on these exposed credentials and connect back to our decoy server.
Mail clients generally execute a set of commands on the server to fetch the various user directories associated with an account. The absence of such commands and zero payload length could be a strong indication that the adversary does not use any known mail client. We have studied the various protocol messages exchanged by various popular mail client programs.
This difference is primarily due to the different lengths of IMAP and SMTP messages. The overhead due to Tor protocol messages, involving circuit setup, key exchanges, accounting, and circuit termination, does not vary significantly between IMAP and SMTP.
By default, a fixed set of entry nodes used by Tor clients to defend against traffic analysis attacks that can be launched by malicious entry and exit nodes.
References
Anonymizer, Inc. http://www.anonymizer.com/
Anonymouse. http://anonymouse.org/
Back, A., Möller, U., Stiglic, A.: Traffic analysis attacks and trade-offs in anonymity providing systems. In: Proceedings of the 4th International Workshop on Information Hiding(IHW), pp. 245–257. Springer, London (2001)
Known bad relays. https://trac.torproject.org/projects/tor/wiki/doc/badRelays
Balsa—An e-mail client for GNOME. http://balsa.gnome.org/
Bauer, K., McCoy, D., Grunwald, D., Kohno, T., Sicker, D.: Low-resource routing attacks against tor. In: Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society (WPES), pp. 11–20 (2007)
Bauer, K., McCoy, D., Grunwald, D., Sicker, D.: Bitblender: light-weight anonymity for bittorrent. In: Proceedings of the workshop on Applications of private and anonymous communications, AIPACa ’08, pp. 1:1–1:8. ACM, New York, NY, USA (2008) doi:10.1145/1461464.1461465
Bennett, K., Grothoff, C.: Gnunet: gnu’s decentralized anonymous and censorship-resistant P2P framework. http://gnunet.org/
Bennett, K., Grothoff, C.: GAP—practical anonymous networking. In: Proceedings of the Privacy Enhancing Technologies Workshop (PET), pp. 141–160 (2003)
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: D-cubed. http://sneakers.cs.columbia.edu/ids/RUU/Dcubed/
Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm), pp. 51–70 (2009)
Bowen, B.M., Kemerlis, V.P., Prabhu, P., Keromytis, A.D., Stolfo, S.J.: Automating the injection of believable decoys to detect snooping. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 81–86 (2010)
Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7, 22–29 (2009). doi:10.1109/MSP.2009.109
Chakravarty, S., Polychronakis, M., Portokalidis, G., Keromytis, A.D.: Details of various eavesdropping incidents. http://dph72nibstejmee4.onion/decoys_via_tor/map.html
Charavarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: Detecting traffic snooping in tor using decoys. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection, pp. 222–241 (2011)
Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981)
Claws mail. http://www.claws-mail.org
Desaster: kippo ssh honeypot. http://code.google.com/p/kippo
Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Proceedings of the 2nd International Conference on Privacy Enhancing Technologies. PET’02, pp. 54–68. Springer, Berlin (2003)
Dingledine, R., Mathewson, N.: Tor path specification. https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=path-spec.txt
Dingledine, R., Mathewson, N., Syverson, P.: Onion Routing. http://www.onion-router.net/
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium, pp. 303–319 (2004)
Douceur, J.R.: The sybil attack. In: Proceedings of International Workshop on Peer-to-Peer Systems (2001)
Stenberg, D.: kippo curl. http://curl.haxx.se
Evolution. http://projects.gnome.org/evolution
Firesheep. http://codebutler.com/firesheep
The Honeynet Project. http://www.honeynet.org/
I2P Anonymous Network. http://www.i2p2.de/
iOpus\(^{\rm TM}\): iMacros\(\copyright \). http://www.iopus.com/imacros/
Isdal, T., Piatek, M., Krishnamurthy, A., Anderson, T.: Privacy-preserving P2P data sharing with oneswarm. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pp. 111–122 (2010)
Kmail—mail client. http://kde.org/applications/internet/kmail
McCanne, S., Leres, C., Jacobson, V.: Tcpdump and libpcap. http://www.tcpdump.org/
Mccoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.: Shining light in dark places: understanding the tor network. In: Proceedings of the 8th International Symposium on Privacy Enhancing Technologies (PETS), pp. 63–76 (2008)
Meyers, J.: IMAP4 ACL extension. http://www.ietf.org/rfc/rfc2086.txt
Mulazzani, M., Huber, M., Weippl, E.R.: Tor HTTP usage and information leakage. In: Proceedings of the IFIP Conference on Communications and Multimedia Security (CMS), pp. 245–255 (2010)
Palfrader, P.: Tor SSL MITM check. http://svn.noreply.org/svn/weaselutils/trunk/tor-exit-ssl-check
Pound, C.: Chris Pound’s language machines. http://www.ruf.rice.edu/~pound/
Pound, C.: Language confluxer. http://www.ruf.rice.edu/~pound/new-lc/
Pound, C.: Prop. http://www.ruf.rice.edu/~pound/prop
Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)
Raymond, J.F.: Traffic analysis: protocols, attacks, design issues, and open problems. In: Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, pp. 10–29. Springer, LNCS 2009 (2000)
Reed, M.G., Syverson, P.F., Goldschlag, D.M.: Anonymous connections and onion routing. IEEE J. Sel. Areas Commun. 16, 482–494 (1998)
Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 66–92 (1998)
Services, O.U.C.: The university of oxford text archive. http://ota.ahds.ac.uk/
Spitzner, L.: Honeytokens: the other honeypot. http://www.symantec.com/connect/articles/honeytokens-other-honeypot
Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC) (2003)
Stoll, C.: Stalking the wily hacker. Commun. ACM 31(5), 484–497 (1988)
Stoll, C.: The cuckoo’s egg: tracking a spy through the maze of computer espionage. Doubleday, New York (1989)
Sylpheed-lightweight and user-friendly e-mail client. http://sylpheed.sraoss.jp/en
Furry, T.: TOR exit-node doing MITM attacks. http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks/
Tor metrics portal. http://metrics.torproject.org/
Tor metrics portal: number of users. http://metrics.torproject.org/users.html
Ts’o, T.: Password generator. http://sourceforge.net/projects/pwgen/
Winter, P., Lindskog, S.: Spoiled onions: exposing malicious tor exit relays. Technical Report, Karlstad University (2014). URL http://veri.nymity.ch/spoiled_onions/techreport.pdf
Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the 2nd IEEE Workshop on Information Assurance (WIA), pp. 116–122 (2004)
Acknowledgments
This work was supported by DARPA and ONR through Contracts DARPA-W011NF-11-1-0140 and ONR-MURI-N00014-07-1-090, respectively. Any opinions, findings, conclusions, or recommendations expressed herein are those of the authors and do not necessarily reflect those of the US Government, DARPA, or ONR.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Chakravarty, S., Portokalidis, G., Polychronakis, M. et al. Detection and analysis of eavesdropping in anonymous communication networks. Int. J. Inf. Secur. 14, 205–220 (2015). https://doi.org/10.1007/s10207-014-0256-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-014-0256-7