Detecting Traffic Snooping in Tor Using Decoys

報告者 : 張逸文

DETECTING TRAFFIC SNOOPING IN TOR USING DECOYS

RAID 2011Sanbuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis, Angilos D. KeronytisColumbia University, NY, USA

2 OUTLINE

1. Introduction

2. Background

3. System Architecture

4. Deployment Results

5. Discussion and Future work

6. Related work

7. Conclusion

3INTRODUCTION （ 1/

2） Anonymity and privacy-preserving systems

Tor [15], , Anonymizer

Operating by routing user traffic through a single or multiple proxies, often using layered encryption schemes

Absence of end-to-end encryption

Man-in-the-middle attacks

HTTPS switch to plain HTTP

4INTRODUCTION （ 2/

2） Using decoy traffic to detect eavesdropping in

proxying architectures and in particular anonymous communication systems

Other uses of decoy traffic: unprotected wireless network [9], warn of insider threats [8]

Multiple “bait” credentials for IMAP and SMTP servers

5 BACKGROUND

Tor Anonymity Network The most widely used low latency anonymity networks

Users can hide their IP => Hidden services

How it works?

Threat Model Malicious exit nodes

Extracting credentials, eavesdropping private information

Intercept the traffic of SSL connections

6SYSTEM

ARCHITECTURE （ 1/6） Approach

Network eavesdropping is a passive operation without observable effects

Credentials without application-layer encryption can be used by the eavesdropper => observable

We entice a prospective snooper to use intercepted decoy credentials for accessing a service under control

7 SYSTEM ARCHITECTURE（ 2/6）

8SYSTEM

ARCHITECTURE（ 3/6） Implementation

Choosing a set of services that

① are supported by a large number of Tor exit nodes

② support unencrypted authentication by a clear-text protocol

The number of Tor exit nodes that allowed the relaying of traffic through various TCP port numbers

IMAP(port 143) and SMTP (port 587) protocols

9SYSTEM

ARCHITECTURE（ 4/6）

10SYSTEM

ARCHITECTURE（ 5/6） Decoy Traffic Transmission and Eavesdropping

Detection

Client： implemented using Perl and service protocol emulation is provided by Net : : IMAPClient and Net : : SMTP modules

Client is hosted on Ubuntu Server Linux v8.04

The client creates one connection to each decoy server every day through each Tor exit node (supported)

An exit node ties with a set of credentials for each decoy service

11SYSTEM

ARCHITECTURE（ 6/6） Decoy services： Courier IMAP v4.6.0 & Postfix

v2.7.0

Illegitimate connections are identified by logs recorded at client and server

Important implementation considerations

Time synchronization => Network Time Protocol

Amount and Quality of Decoy Traffic

The believability of the decoy traffic [9]

Eavesdropping Incident Verification

12 DEPLOYMENT RESULTS

August ,2010 ~ May ,2011

Ten traffic interception incidents all received by decoy IMAP server

Table 1.

Available bandwidth of the malicious exit nodes

Locations of the Tor exit nodes involved in the observed incidents

Geo-IP tool

13DISCUSSION AND FUTURE

WORK （ 1/4 ） Detection confidence

The ease of installing and operating a Tor exit node

The host system may lack of software patches / have poor security

Connecting back to the decoy server from the same exit node

Future work Using multiple replicas of the decoy servers scattered

in different networks and associate different sets of credentials

14DISCUSSION AND FUTURE

WORK （ 2/4 ） Decoy Traffic Credibility

Increasing the number and diversity of the innocuous email messages in SMTP traffic

Containing bait documents that would ping back to our system

Capturing network traces of protocol interactions using various real IMAP clients and servers

15DISCUSSION AND FUTURE

WORK （ 3/4 ） Detection of HTTP Session Hijacking

Some sites switch back to HTTP after the user has logged in

Users are ignorant about HTTPS

Attackers can steal the session cookie in the HTTP requests of authenticated users

Future work detecting HTTP session hijacking attacks by the use

of decoy accounts

16DISCUSSION AND FUTURE

WORK （ 4/4 ） Traffic Eavesdropping and Anonymity

Degradation

Reducing anonymity set

Eavesdropping Detection as a Network Service

Honeynet-based system

Used as an eavesdrop detection system

17RELATED

WORK（ 1/2） Clifford Stoll

The Cuckoo’s Egg： trapping an intruder that broke into the systems of the Lawrence Berkeley National Laboratory

Honeypots have been extensively used for modeling, logging and analyzing attacks

Honeytokens

pieces of information. After the adversary release it, any subsequent use of if can clearly indicate unauthorized access

18RELATED

WORK（ 2/2） Bowen et al.

WiFi traffic as a basis for the generation of decoy traffic with realistic network interactions

McCoy et al.

taking advantage of the IP address resolution functionality of network traffic capturing tools

The functionality may disabled by the eavesdropper

19 CONCLUSION

Applying decoy user credentials for the detection of traffic interception in anonymity network

Detected ten cases in which decoy credentials were used by a third-party to log in to servers under our control

How the proposed method can be extended for the detection of HTTP session hijacking attacks

20

Thanks & 金盾加油 !!

21

22