Sampled Traffic Analysis byInternet-Exchange-Level AdversariesSteven J. Murdoch and Piotr Zieli´nskiUniversity of Cambridge, Computer Laboratoryhttp://www.cl.cam.ac.uk/users/{sjm217, pz215}Abstract. Existing low-latency anonymity networks are vulnerable totraffic analysis, so location diversity of nodes is essential to defend againstattacks. Previous work has shown that simply ensuring geographical di-versity of nodes do es not resist, and in some cases exacerbates, the risk oftraffic analysis by ISPs. Ensuring high autonomous-system (AS) diver-sity can resist this weakness. However, ISPs commonly connect to manyother ISPs in a single location, known as an Internet eXchange (IX). Thispap e r shows that IXes are a single point where traffic analysis can beperformed. We examine to what extent this is true, through a case studyof Tor nodes in the UK. Also, some IXes sample packets flowing throughthem for performance analysi s reasons, and this data could be exploitedto de-anonymize traffic. We then develop and evaluate Bayesian trafficanalysis techniques capable of processing this sampled data.1 IntroductionAnonymity networks may be split into two categories: high latency (e.g. Mixmin-ion [1] and Mixmaster [2]) and low latency (e.g. Tor [3], JAP [4] and Free-dom [5]). High latency networks may delay messages for several days [6] butare des igned to resist very powerful attackers which are assumed to be capa-ble of monitoring all communication links, so called global passive adversaries.However, the long potential delay makes these systems inappropriate for pop-ular activities such as web-browsing, where low-latency is required. Although,in low-latency anonymity networks, communications are encrypted to maintainbitwise-unlinkability, timing patterns are hardly distorted, allowing an attackerto deploy traffic analysis to de-anonymize users [7,8,9]. While techniques to resisttraffic analysis have been proposed, such as link padding [10], their cost is highand they have not been incorporated into deployed networks.Instead, these systems have relied on the assumption that the global passiveadversary is unrealistic, or at least those who are the target of such adversarieshave larger problems than anonymous Internet access. But even excluding theglobal passive adversary, the possibility of partial adversaries remains reason-able. These attackers have the ability to monitor a portion of Internet traffic butnot the entirety. Distributed low-latency anonymity systems, such as Tor, aimto resist this type of adversary by distributing nodes, in the hope that connec-tions through the network will pass through enough administrative domains toprevent a single entity from tracking users.This raises the question of how to select paths through the anonymity net-work to maximiz e traffic analysis resistance. Section 2 discusses different topol-ogy models of the Internet and their impact on path selection. We suggest thatexisting models, based on Autonomous System (AS) diversity, do not properlytake account of the fact that while, at the AS level abstraction, a path mayhave good administrative domain diversity, physically it could repeatedly passthrough the same Internet eXchange (IX). Section 3 establishes, based on In-ternet top ology measurements, to what extent the Tor anonymity network isvulnerable to traffic analysis at IXes.Section 4 describes how IXe s are particularly relevant since, to assist loadmanagement, they record traffic data from the packets being sent through them.As aggregate statistics are required and the cost of recording full traffic would beprohibitive, only sampled data is stored. Hence, the quality of data is substan-tially poorer than was envisaged during the design and evaluation of previoustraffic analysis techniques. Section 5 shows that, despite low sampling rates, thisdata is adequate for de-anonymizing users of low-latency anonymity networks.Finally, Section 6 discusses further avenues of research under investigation.2 Location Diversity in Anonymity NetworksTor has been long suspected, and later confirmed [11,12], to be vulnerable toan attacker who could observe both the entry and exit point of a connectionthrough an anonymity network. As no intentional latency is introduced, timingpatterns propagate through the network and may be used to correlate input andoutput traffic, allowing an attacker to track connection endpoints.Delaying messages, as done with email anonymity systems, would improveresistance to these attacks, at least for a sm all number of messages. However,the additional latency here (hours to days) would, if applied to web browsing,deter most users and so decrease anonymity for the remainder [13]. In additionto the scarce bandwidth in a volunteer network, full link-padding would alsointroduce catastrophic denial of service vulnerabilities, because all parties wouldneed to stop communicating and re-negotiate flow levels when one party left.Hence, the only remaining defense against traffic analysis is to ensure that theadversary considered in the system threat model is not capable of simultaneouslymonitoring enough points in the network to break users’ anonymity.While this approach would be of no help against a global passive adversary,more realistic attackers’ traffic monitoring capabilities are likely to be limited toparticular jurisdiction(s), whether they derive from legal or extra-legal powers.This intuitively le ads to the idea that paths through anonymity networks shouldbe selected to go through as many different countries as possible. The hope hereis that an attacker attempting to track connections might have the ability tomonitor traffic in some countries, but not all those on the path.Unfortunately, Feamster and Dingledine [14] showed this approach couldactually hurt anonymity because international connections were likely to gothrough one of a very small number of tier-1 Internet Service Providers (ISP) –.se.cn.au.us.brAS1AS2IXFig. 1. Multiple-country path through a hypothetical anonymity network at geograph-ical and AS level abstractions. Here, despite the path traveling through 3 countriesbetween Brazil (.br) and the US (.us), there are two tier-1 ISPs which see all links. Forexample, the hop through China (.cn) is vulnerable since the incoming and outgoinglinks are observed by AS2. At first glance, the Swedish (.se) hop seems secure, as theincoming link is seen by AS2 and the outgoing by AS1. However, the Swedish ISPconnects to AS1 and
View Full Document
Unlocking...