Mantis: A Lightweight, Server-Anonymity Preserving, Searchable P2PNetworkStephen C. Bono, Christopher A. Soghoian, Fabian MonroseInformation Security InstituteThe Johns Hopkins UniversityBaltimore, Maryland, USA{sbono|csoghoian|fabian}@jhu.eduTechnical Report TR-2004-01-B-ISI-JHUJune 17, 2004AbstractWe introduce Mant is, a searchable, peer-to-peer(P2P) network of anonymous nodes aimed at pro-tecting the privacy of individuals acting as serversin the network. In order to minimize the trafficrelayed by peers, servers transfer data directly toclients via a separate, source-spoofed UDP stream.This is extremely important as users of a P2P sys-tem are content to give up bandwidth while down-loading or uploading, but are unwilling to donatethe majority of t heir bandwidth in order to relaytraffic for other peers. By relaxing the requirementof full client anonymity, Mantis enables efficientdata transfers from anonymous servers while lim-iting the bandwidth costs incurred by other peersparticipating in the network.1 IntroductionThe need for anonymous communication on theInternet has motivated a number of anonymousnetworking techniques. Since the early 80s, ap-plications have been designed to protect Internetusers from censorship, privacy violations, and anynumber of lawsuits.For the most part, the overall goal of these sys-tems is to ensure privacy for a sender and recipi-ent, such that neither party can be identified asan endpoint of the communication stream, andthat the two parties cannot be linked. Moreover,the goal of m ost anonymizing systems has been toprotect the privacy interests of only the client ina client-server relationship, where only the clientknows the identity of the s erver with which to c om-municate, but not vice versa. This is represen-tative of privacy with respect to performing webtransactions [14], sending electronic mail [13, 5],as well as publishing documents [4].However, as Internet speeds increase, individualusers desire to and are more capable of perform-ing the actions of a server themselves. Individualsoften act as servers when participating in file shar-ing networks or hosting personal web pages. It isincreasingly in their interest to remain anonymouswhen providing such services.Strong privacy requirements aimed at pro-tecting the client have challenged the ability ofanonymizing networks to meet the performancerequirements of their users. Many solutions arehigh-latency, as communications between clientand server are typically weighted very heavily inthe server-to-client direction, requiring server re-sponses to be forwarded through a number ofanonymizing hops.To address these issues, we introduce Mantis, asearchable, peer-to-p eer (P2P) network of anony-mous nodes aimed at protecting the privacy of in-dividuals acting as servers in the network. Oursystem takes advantage of the asymmetric natureof client-server communication, where servers sendfar more data than the clients they serve, and alle-viates the overhead inherent in other anonymousnetworks where participants must forward entiretransactions for other peers.Mantis’s ability to provide anonymity is mod-eled after Crowds [14], a system for anonymizingweb transactions. Two nodes, a client and server,establish a channel through a crowd of other userswhich they use to search, respond to service re-quests, and later coordinate a full transfer ses-sion. Anonymity is preserved by delegating theresponsibility of sending a message from one peerto another, making the true initiator of a messageextremely difficult to determine.Unlike Crowds, however, our network isarranged in a tree-like structure, similar toGnutella [21], providing users with the ability tosearch the P2P network. Each participant con-nects to multiple peers and forwards search re-quests received from one peer to all others. Thisallows each search to reach a vast number of par-ticipants acting as servers as they are propagatedthroughout the network in a ripple-like manner.Search replies are returned to the initiator alongthe reverse path traversed by the original searchrequest, and a tunnel between the client and serveris established through which future transactionsbetween the two nodes may be performed.In order to minimize the traffic relayed throughthe P2P network, servers transfer data directly toclients via a separate, source-spoofed UDP stream,leaving only control data to be tunneled throughthe crowd. This reduces the amount of bandwidthexhausted by peers for relaying messages as wellas increases ove rall speed and throughput signifi-cantly more than other anonymizing networks.Finally, our system does not restrict the entryor exit of nodes in the network. Nodes along for-warding paths are assumed to b e volatile and mayexit at any time. We show that our protocol isreliable even as tunnels extending throughout thenetwork are broken.The remainder of this paper is organized as fol-lows: Section 2 discusses related work. Section 3discusses the goals and terminology. Section 4 pro-vides a detailed explanation of the methodologyand implementation of Mantis. Section 5 deliversperformance results comparing Mantis to systemswith similar goals. Section 6 is a detailed securityanalysis of our scheme. Section 7 discusses di-rections for future work. Section 8 concludes ourpaper.2 Related WorkCrowds, Mixes [3] and Onion Routing [9] eachpresent different methods for providing eithersender anonymity, receiver anonymity, sender-receiver unlinkability, or a combination of thethree, when performing transactions over the In-ternet. In each of these architectures, the sender(or client) is required to know beforehand the iden-tity of the receiver (the server). All these methodsstrive first and foremost to protect the identity ofthe client. Our scheme differs in both of these re-gards. In Mantis, clients lack knowledge of theserver’s identity and whereabouts prior to search-ing, and protecting the anonymity of the server isparamount.Crowds originally introduced a scheme to en-able a large group, or “crowd”, of Internet usersto anonymize their actions on the web by repeat-edly delegating the responsibility of making webtransactions to other crowd members. One crowdmember performing an action on b ehalf of anothercannot know with certainty whom they are assist-ing. Each crowd member that forwards messagesin this manner, including the true initiator, canplausibly deny being the m ess age source, as theytoo may have been given the request to fulfill
View Full Document