Table Of ContentFACULTY OF SCIENCE, TECHNOLOGY AND COMMUNICATION
Hidden Service Tracking Detection and
Bandwidth Cheating in Tor Anonymity
Network
ThesisSubmittedinPartialFulfillmentofthe
RequirementsfortheDegreeofMasterinInformation
andComputerSciences
Author: Supervisor:
FabriceTHILL Prof.AlexBIRYUKOV
Reviewer:
Prof.VolkerMÜLLER
Advisor:
IvanPUSTOGAROV
August2014
Acknowledgements
Iwouldliketothank:Prof.Biryukovforgivingmetheopportunitytoworkonthistopic;Ivan
Pustogarov for his help and guidance; the University of Luxembourg for providing servers
usedintheexperiments.
2
Abstract
InstantaneousonlinecommunicationsthroughtheInternethavebecomeanintegralpartof
ourworld,bothforbusinessaswellasforindividuals. However,someentitiesrestrictaccess
topartsoftheInternet,inanefforttoestablishcensorship,whileothersmonitoronlinecom-
munications. Tocircumventcensorship,restoreprivacyandanonymity,sometoolssuchas
Tor,alowlatencyanonymitynetwork,havebeencreated.
ThisworkfocusesonTorandhastwocontributions:
1. Amethodofdetectingtrackingattacksonhiddenservicesaswellasanimplementa-
tion. Byanalyzing39841hiddenserviceaddressesfortheyear2013wefoundthatat
least50Torrelayswereconductingtrackingattacksonatotalof45hiddenservices.
2. AnattackontheTorbandwidthmeasurementsprotocolinordertoobtainhigherchances
ofbeingchosenforaclientpath,theimplementationreachinga1%probabilitytobe
chosenasanExitnodeontheTornetworkandthe21st highestrelay,intermsofband-
widthweight,outof5.834activerelays,whileusingabandwidthonly50KB/s.
3
4
Contents
1 IntroductionandBackground 7
1.1 Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.2 Tor:Generation2OnionRouting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.3 NetworkConsensusDocuments . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4 HiddenServices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4.1 Rendezvousprotocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.2 HiddenServiceUsageTrackingandCensoring. . . . . . . . . . . . . . . . 15
1.5 ConsensusBandwidthWeight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.5.1 BandwidthScanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.5.2 ResultAggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.6 PathSelectionAlgorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 TrackingDetectiononTorHiddenServices 21
2.1 AutomatedDetection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.1 MethodOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.1.2 ImplementationDetails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.1.3 ExperimentalResults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2 VisualizationofHSDirAnomalies . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3 BandwidthCheating 31
3.1 Methodoverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.2 ImplementationDetails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.3 ExperimentalResults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4 Concludingremarks 41
4.1 DiscussiononTrackingofHiddenServices . . . . . . . . . . . . . . . . . . . . . . 41
4.2 DiscussionandCountermeasuresonBandwidthCheating . . . . . . . . . . . . 42
Bibliography 48
A AdditionalResources 49
B ResultsFormat 51
C ModifiedDescriptorforTrokel 53
D BandwidthTablesFormat 55
E ListofusedHiddenServiceAddresses 61
5
6
Chapter 1
Introduction and Background
1.1 Foreword
TorisalowlatencyanonymitysystemoriginallydevelopedbytheU.S.NavalResearchLab-
oratory [14], now an open source project developed by "The Tor Project", a non-profit or-
ganization[13]. Itisnowadaysthemostpopularanonymityandcensorshipcircumvention
tool as well as the most researched onion routing scheme. Originally the Tor network was
comprisedofabout40nodeswithabandwidthusageofabouthalfagigabyteaweek. Atthe
timeofthiswritingtheTornetworkiscomprisedofmorethen5000nodeswiththetopnodes
relaying multiple terabytes daily. Some of the success of Tor can be attributed to the goals
definedintheoriginaldesignpaper[8]. Thesegoalswere: deployability,usability,flexibility
andasimpledesign. TheTorbrowserbundle,aversionoftheFirefoxwebbrowsermodified
toprovidebettersecurityandautomaticallyroutetrafficthroughtheTornetworkclient,isa
manifestationofthesegoals. TheTorthreatmodeldoesnotincludeaglobaladversary, i.e.
anadversarywhichcanlisten,blockormodifyallmessagesbetweenrouters. InsteadToris
builttodefendagainstanattacker,whichcanonlylistentopartofthetrafficandcanpossibly
corruptorcontrolsomeTornodes.
ThenextchapterwillfirstgiveabroadexplanationofTor,thenfocusontheHiddenServices,
afunctionalitywhichprovidesresponderanonymityandfinallyexplaintheconsensusband-
widthweights,motivations,howtheweightisobtainedandhowitaffectspathcreationinTor.
Thesecondchapterwillprovidemethodsandanimplementationtodetecttrackingattacks
ofhiddenservices,alongwiththeexperimentalresultsofourstudy. Trackingserviceactiv-
ityandusageaswellascensoringisachievedbygainingcontroloverresponsibledirectory
nodes. Thepossibilityofsuchattackswaspredictedin[9]. Theactualattacksweredemon-
stratedin"TrawlingforTorHiddenServices: Detection, Measurement, Deanonymization"
[7].
ThethirdchapterwillfocusonhowtheTorbandwidthmeasurementprotocolcanbeabused
inordertoobtainahigherchancetobechosenbyaclient,thusfacilitatingotherattackssuch
astrafficconfirmation[22]andwebsitefingerprinting[23].
Finally,thelastchapterwilldiscusssomeoftheobtainedresultsandproposecountermea-
sures.
7
1.2 Tor: Generation2OnionRouting
Torisanonionroutingsystem,thismeansthatinsteadofadirectlyconnectingtoawebsite
orservice,clientsendshistrafficthroughmultipleserversinordertoconcealhisIPaddress.
OriginallyTorwasanacronymforTheOnionRouter,thetermonionroutingcomesfromthe
layersofencryptionaroundtheconnection.
AssumeAlicewantstosendamessagetoawebsiteusingtheTornetwork. AliceusesaTor
clientorOnionProxy(OP)whichwillrelaythemessagethroughtheTornetwork. Whenthe
OPisfirstconnectedtothenetwork,itdownloadsdirectoryinformationfromthedirectory
authorities.Theauthoritiesareasmallsetoftrustednodes(currently9)inthenetworkwhich
gatherinformationoneachrelayinthenetwork.
OncetheOPhaslearnedenoughinformationaboutrelays,itcanstartbuildingacircuit,i.e.a
paththroughtheTornetwork.AlltrafficinTorisexchangedusingcellsoffixed512bytesize.
Eachcellcontainsacircuit-id,acommandandapayload. Thecircuit-idisarandomlycho-
sennumberwhichlinkstogethertwoconnectionsonarelay. Commandscanbeclassified
intotwocategories,controlandrelaycommands.Controlcommandsaremeantfortherelay
thatreceivesthemtobeinterpreted;relaycommandsinstructarelaytoforwardacelltothe
nextnodeinthecircuit.Inordertocreateacircuit,theOPfirstestablishesaTLSconnection
withthefirstnode(alsoknownasEntrynodeorGuardnode). ItthensendsaCREATEcellto
theGuardnodeoverTLS.Thecellisadditionallyencryptedusingthepublickeyofthefirst
nodeandcontainsthefirstpartoftheDiffie-Hellmankeyexchangehandshake. TheGuard
noderespondswiththesecondhalfoftheDiffie-Hellmanhandshake.
Nowthatasymmetrickeyhasbeencreatedbetweenthetwoparties,theOPsendsanEXTEND
cell to the Guard node, again containing the first half of the Diffie-Hellman handshake en-
crypted with the public key of the second node (also known as Middle node). The Guard
node extracts the payload, puts it into a CREATE cell and sends the cell to the Middle node.
TheMiddlenoderespondswiththesecondhalfoftheDiffie-Hellmanhandshake, whichis
relayedtotheOPbythefirstnode.
ThisstepisrepeatedathirdtimefortheExitnode,thelastnodeinthe3hopcircuitToruses
bydefaultforclients. Alice’sOPnowsharesasymmetrickeywitheachoftherelaysandcan
nowusethecircuittosendandreceiveinformation.
Inordertosendamessagetoawebsiteforinstance, theOPcreatesanencryptedmessage
with the structure : C ,{{{,m} } } , where {X} denotes AES encryption with key k , and
1 k3 k2 k1 ki i
C denotes circuit ID. It then sends the encrypted message to the first relay, with which is
1
shares the symmetric key k . The first relay removes a layer of encryption and obtains the
1
circuitIDC andtheencryptedmessage{{m} } whichitcannotdecrypt.WithC therelay
1 k3 k2 1
knowsthatitshouldsendthemessagetothesecondrelayanddoesso, whileprovidingC
2
forthenextrelay. Thisstepisrepeated,eachtimeremovingalayerofencryption,untilthe
messagereachedtheExitnode,whichcanremovethefinallayerofencryption,learnthefinal
destinationandsendthemessagetothewebsite.
Figure1.1wastakenasisfrom[8]andshowsonesuchcircuitcreationaswellasthesubse-
quentdatatransferbetweentheclientandthewebsite.
Ifthereisaresponsefromthewebsite,thefunctioningisthesame,butinsteadofdecrypting,
each relay adds a layer of encryption. When this encrypted message arrives at the sender,
itcandecryptall3layersandreadtheresponse. Inessence,thissystemprovidesamethod
of breaking the link between the message and the sender. The Guard node has sender’s IP
8
Figure1.1:Atwo-hopcircuitcreationwithdataexchange
addressbutnoinformationonthemessageoritsdestination,whiletheExitnodehasboth
messageandthedestination,butdoesnotlearnanyinformationaboutthesender.
ItcanalsobenotedthatshouldanattackerbeabletoreadbothdataenteringtheGuardnode
andthedataexitingtheExitnode,orpossiblycontrolbothnodes,itispossibletodotraffic
correlationattackswhichdeanonymisetheuser1.
Torinitscurrentimplementationbydefaultuses3hopcircuits,meaningarelaycanbeeither
aGuardnode,MiddlenodeorExitnode.Eachtypeofnodehasdifferentrequirements:
Guardnodes. Guardnodesarearguablythenodesinwhichthemosttrustisplacedsince
theyprotectuser’sanonymity. PossibleattacksagainsttheTornetworkincludecorrelation
attacks(inwhichtheattackercomparestrafficcomingtotheTornetworkwithtrafficleav-
ingthenetwork)andwebsitefingerprintingattacks(wherethetrafficofusersiscomparedto
pre-buildpatterns).
IfanattackercontrolsAoutofNnodesinthenetwork2,theprobabilityoftheattackercon-
trollingboththeentrynodeandtheExitnodeofarandomcircuitinthenetworkis A2 ,but
N
iftheclientovertimesbuildsalotofdifferentcircuits,theprobabilityoftheattackercontrol-
lingonepairofentryrouterandexitrouteroverthepossiblepairsconvergesrapidlyto1.
To prevent this from happening each client chooses Entry nodes from a set of three Guard
nodes.AGuardnoderemainsinthesetforarandomdurationbetween30and60days3.The
factthataGuardnodeischosenatthebeginningoftherotationperiodonly(andnotforeach
circuit)andremainsthesameduringthewholeperioddramaticallyreducestheconvergence
1Bydeanonymisationwemeanrevealingtheuser’spublicIPaddress.IncaseofauserbehindNAT(themost
commoncase),thisisanIPaddressoftheuser’sISP.
2Theprobabilityforarelaytobechosenbyaclientisproportionaltoitsbandwidth,howeverforthesakeof
simplicityoftheexampleweassumethattherelay’sbandwidthisnottakenintoaccount.
3HoweveratthetimeofwritingTordevelopersareconsideringswitchingtoonlyoneGuardnodewitharota-
tionperiodofseveralmonths.
9
rate.Theprobabilityofchoosinganattackernodeatthebeginningofarotationperiodis A.
N
Thisresultsinthattheattackercontrolseither1/3oftheuser’scircuitforthedurationofthe
periodornoneofthem.
AnodeisonlyusedbyclientsasaGuardnodeifithasaGuard,ValidandRunningflag.
Anexplanationonalltheflagscanbefoundinsection1.3
Middlenodes. TherearenorequirementsforbeingaMiddlenodeexceptofcoursehaving
theValidandRunningflag. Middlenodesarethenodesinthenetworkwhichlearntheleast
amountofinformationaboutclientssincetheyonlyrelayencryptedinformationfromone
relaytothenext.
Exitnodes. ExitnodesarerelayswhichallowconnectionsoutsidetheTornetworkonbe-
halfofaclient.ATorExitnodeoperatorcanrestricttheaddressesandportstowhichitallows
outgoingconnectionintherelay’sExitpolicy. ExitnodesrequireanExit,ValidandRunning
flag(seesection1.3). ControllingbothGuardandExitnodesiscrucialforatrafficconfirma-
tionattack.
1.3 NetworkConsensusDocuments
The Network Consensus Documents (hereafter simply called consensus document or con-
sensus),arefilescontainingtheresultsofallvotesbythedirectoryauthoritiesonthestatus
ofallactiverelaysinthenetwork. Aconsensusisproducedeveryhourandisvalidforape-
riodof3hours.
Wenowgiveanoverviewovertheconsensusinformationnecessaryforthiswork;additional
information can be found in the Tor specification document [20]. The latest consensus as
wellasthearchivesforallpublicdataonTorcanbedownloadedfrom[17].
Aconsensusbeginswithgeneralinformationsuchasversion, validitytime, knownflagsas
wellasparametersforvotesandinformationoneachdirectoryauthority.
Foreachrelayintheconsensuswehavemultiplelineseachstartingwithaletter:
• r:Generalinformation
– Thename,whichservesasanidentityreadablebyhumans;itdoesnothowever
havetobeunique
– Thefingerprintoridentity,abase-64encodedhashofthepublickey
– Thedigest,abase-64encodedhashofthemostrecentdescriptor
– Thepublicationtimeofthemostrecentdescriptor
– TheIPaddress(IPV4)
– TheORport,theporttheonionportusesforitscommunications
– Thedirectoryport,theportusedtotransmitdirectoryinformation;thedirectory
portisoptionalandis0ifnotpresent
• s:Flags,ifpresentthen:
10
Description:An attack on the Tor bandwidth measurements protocol in order to obtain higher chances of being . Originally Tor was an acronym for The Onion Router, the term onion routing comes from the layers of .. The HSDir's are placed in a circular list ordered by their fingerprints, and for each descriptor-.
