| |
February 2007
Since the appearance of our paper,
Low-Resource Routing Attacks Against Anonymous Systems,
on
Slashdot,
we have received several questions from concerned Tor users regarding our
findings. In this work, our primary goal is not to "break" any aspect of Tor,
but rather to explore solutions to the well-known problem of making routing
decisions based upon unverified and potentially false information. Our hope is
that Tor can be improved through this work. In this FAQ, we hope to provide
clarification regarding the implications of our research to the Tor community.
Frequently Asked Questions (FAQs)
- Q0. Most importantly, does this attack mean that we should stop using Tor?
-
A0.
ABSOLUTELY NOT! Despite our findings, Tor is the most secure and usable privacy
enhancing system available. We believe that the system is safe for end-users;
however, the system is experimental and the developers make no guarantees about
the degree of privacy that it can provide. Let us re-iterate: Concerned users should NOT stop using Tor.
For the short-term, the maintainers of the Tor directory servers can monitor
the router list to ensure that there are no anomalous advertisements, and
blacklist any suspicious routers. In our paper, we point out several
counter-measures that significantly reduce the attack's effectiveness by
increasing the resources required by an attacker to mount the attack.
- Q1. What is Tor?
-
A1.
Tor is the second generation design of
the onion routing research project originally funded by the Office of Naval
Research (ONR). The Tor project's main goal is to develop a network that
protects the privacy of TCP connections. In addition, Tor aims to provide
end-user anonymity with constraints such as low-latency, deployability,
usability, flexibility, and simple design.
- Q2. How does Tor work?
-
A2.
Tor works by tunneling end-user traffic through a series of intermediate
servers, called "Tor routers." To a passive adversary, it is very difficult to
determine from where the traffic exiting the network originated. The designers
of Tor provide a good
overview.
- Q3. How does this attack work?
-
A3.
The basic premise behind our attack is the following: When Tor clients choose
their path (called a "circuit") through the network, the system attempts to
provide high-performance by choosing Tor routers that advertise that they have
high-bandwidth capabilities and have been in the network for a long time with a
higher probability. To compound things, the protocol does not verify any claim
made by the onion routers. Our attack works by sending false resource
advertisements into the network. This causes our "malicious" servers to be
chosen to be part of a large number of paths through Tor. Furthermore, when two
of our servers exist at the beginning and end of the path through the network,
our attack performs "end-to-end traffic analysis" based upon correlating the
timing of the messages at each endpoint. Using this technique, it is possible
to determine the sender and receiver of a message that uses such a path.
The key contribution of this work is the following: While the Tor developers
realized that analytical models often fail to reflect the full complexities of
a real deployment, we are the first to experimentally analyze and push the
limits of the practical implications of Tor's heterogeneous architecture on
its anonymity.
To evaluate this attack, we deployed an isolated Tor network on the
PlanetLab testbed. We introduced
low-resource malicious servers that falsely gave the illusion of
high-performance servers, which allowed them to be included on a
disproportionally high number of paths. To sample our results, in a PlanetLab
experiment with 60 honest nodes and 6 malicious servers falsely claiming to
have high bandwidths and uptimes, an technique could compromise over 46% of the
paths through the network. This is in stark contrast to the 0.70% of paths
predicted by an analytical model.
Since our primary purpose in this paper is NOT to demonstrate how to compromise
the anonymity of Tor, we rather focus upon designing solutions that can help
the system prevent this type of attack. We propose a distributed reputation
system to mitigate the ability of malicious servers to influence the routing
mechanism.
- Q4. How does this work fit with previous research?
-
A4.
This attack is not, in fact, the first attack against Tor. In 2005,
Murdoch and Danezis
presented a low-cost traffic analysis technique that allowed an outside
observer to infer which Tor routers are being used to relay a path's traffic
based upon introducing latency into servers on the path.
Øverlier and Syverson
developed an attack in which an adversary could locate hidden services within
the Tor network.
Murdoch
demonstrated an alternate technique for locating hidden services.
It is important to note that, since Tor uses a centralized routing mechanism to
maintain and distribute routing information, it is not vulnerable to many of
the routing attacks that are possible in decentralized overlay systems. These
include, for example, the
Eclipse
attack, attacks on
distributed hash tables (DHTs),
insider attacks in application-layer multicast protocols, and
passive node profiling attacks.
While centralized routing tends to have scalability limitations, Tor's
directory servers do, in fact, protect it from a variety of well-known attacks.
|
|
