Sampled Traffic Analysis byInternet-Exchange-Level AdversariesSteven J. Murdoch1, 2Piotr Zieli´nski1www.cl.cam.ac.uk/users/{sjm217, pz215}1Computer Laboratory2OpenNetInitiativewww.opennet.net7th Workshop on Privacy Enhancing Technologies, 20–22 June 2007, Ottawa, CanadaThis talk shows the impact of Internetexchanges on anonymityTraffic analysis of low-latencyanonymity systemsInternet exchanges as a trafficanalysis pointPerforming traffic analysis withsampled data0.0 0.2 0.4 0.6 0.8 1.0attack methodspackets seensuccess rate0.1 1 10 100 1000full attackdurationsrate &overlaprate only0.0 0.2 0.4 0.6 0.8 1.0variable delaypackets seensuccess rate0.1 1.0 10.0 50.0no delay30 s1 min2 min5 minEffectiveness of the attackConnecting directly to a server leaksinformation about users’ behaviourAnyone monitoring the client, server or the connection between themcan see that the client is accessing that serverConnecting directly to a server leaksinformation about users’ behaviourAnyone monitoring the client, server or the connection between themcan see that the client is accessing that serverBy routing the connection through intermediate nodes, the client’s on-line privacy is improvedX knows the client’s IP address; Z knows the server’s IP address, butno node can see both; the server only knows Z’s IP addressTor hides content but not data rate so isvulnerable to traffic analysisLayered encr yption makes data entering and leaving a node unlinkableTor hides content but not data rate so isvulnerable to traffic analysisLayered encr yption makes data entering and leaving a node unlinkableBut data rate is unchanged so traffic analysis can correlate flowsLocation diversity can resist trafficanalysis by a partial adversaryJurisdictional model: attacker can monitor nodes in some countriesLocation diversity can resist trafficanalysis by a partial adversaryJurisdictional model: attacker can monitor nodes in some countriesAS (autonomous system) model: attacker can monitor traffic flowingthrough some ISPs [Feamster & Dingledine]Location diversity can resist trafficanalysis by a partial adversaryJurisdictional model: attacker can monitor nodes in some countriesAS (autonomous system) model: attacker can monitor traffic flowingthrough some ISPs [Feamster & Dingledine]IX model: attacker can monitor links passing through some pointsInternet exchanges are strategicallypowerful locations for traffic analysisAS name Paths %Level 3 1 961 22%NTL 1 445 16%Zen 1 258 14%JANET 1 224 14%...Internet exchange Paths %LINX 2 392 27%DE-CIX 231 3%AMS-IX 202 2%For Tor nodes in the UK, the LINX (London Internet Exchange) is onmore paths than any other ISPLINX records and stores (partial) data from some of their coreswitches, and it is planned to be used for detecting spammersAMS-IX records data too, but only used for generating statisticsTraffic data can be used to link flows,but only sampled data may be availableAttacker’s goal is to establish probability that each output flow corre-sponds to the input flow of interestTraffic data can be used to link flows,but only sampled data may be availableAttacker’s goal is to establish probability that each output flow corre-sponds to the input flow of interestFor fast links only sampled data is available (1 in 2 048 for LINX)Bayesian analysis shows only flowrates and overlap are significantinput packets seenmatch probability0 2 4 6 8 10 12 1400.0010.010.11match probabilityfirst packet seenlast packet seen−25 −20 −15 −10 −5 0 5 10 15−505101520253035Match probability high when•input and output rates similar•amount of overlap highinputoutput0 5 10 15Results of analysis show high accuracyand resistance to moderate delay0.0 0.2 0.4 0.6 0.8 1.0attack methodspackets seensuccess rate0.1 1 10 100 1000full attackdurationsrate &overlaprate only0.0 0.2 0.4 0.6 0.8 1.0variable delaypackets seensuccess rate0.1 1.0 10.0 50.0no delay30 s1 min2 min5 minUsing both rate and amount of overlap significantly improves theaccuracy of results; (50% success rate after ≈10 MB of traffic)Introducing up to 30 seconds of latency to flows has no significanteffect on the matching algorithmIn summary, Internet exchanges areideal locations for traffic analysis•Internet exchanges are present on a high proportion of Internetconnections and may have the capability for collecting traffic data•Sampled data, possible to collect with existing networkequipment, is ver y effective in de-anonymising flowsFuture work•Develop improved defences•Because the timing of individual packets is not a relevant factor,introducing moderate latency does not mitigate the attack•Dummy traffic is more promising, but comes with a high cost•Paths could be selected to maintain Internet exchange diversity•Refine limits of the attack’s effectiveness•Simulate with more realistic (non-Poisson) traffic•Analyze traffic within the anonymity network•Consider more information (e.g. sequence numbers in
View Full Document
Unlocking...