HOnions: Exposing Snooping Tor HSDirs - RSA Conference · HOnions: Exposing Snooping Tor HSDirs...
Transcript of HOnions: Exposing Snooping Tor HSDirs - RSA Conference · HOnions: Exposing Snooping Tor HSDirs...
HOnions:ExposingSnoopingTorHSDirsAmiraliSanatinia,NortheasternUniversityIn the last decade, Tor proved to be a very successful and widely popular system to protect users’anonymity.However,Torremainsapracticalsystemwithavarietyof limitations,someofwhichwereindeedexploitedintherecentpast.Tor’ssecurityreliesonthefactthatasubstantialnumberofitsnodesdo notmisbehave. In this work, we introduce, the concept of honey onions, a framework to detectmisbehavingTorrelayswithHSDircapability.Thisallowstoobtainlowerboundsonmisbehavioramongrelays.WeproposealgorithmstobothestimatethenumberofsnoopingHSDirsand identifythemostlikelysnoopers.Ourexperimentalresultsindicatethatduringtheperiodofthestudy(72days)atleast110suchnodesweresnoopinginformationabouthiddenservicestheyhost.Werevealthatmorethanhalf of themwere hosted on cloud infrastructure and delayed the use of the learned information topreventeasytraceback.Weintroducetheconceptofhoneyonions(honions)[1],toexposewhenaTorrelaywithHSDircapabilityhasbeenmodifiedtosnoopintothehiddenservicesthatitcurrentlyhosts.ToautomatetheprocessofgeneratinganddeployinghonionsinawaythattheycoverasignificantfractionofHSDirs,wedevelopedseveral tools.A key constraint in thisprocesswas tominimize thenumberofdeployedhonions. ThisderivesprimarilyfromourdesiretonotimpacttheTorstatisticsabouthiddenservices(particularlygiventherecentsurgeanomaly).ByconsideringthenumberofHSDirs(approximately3000),wecouldinferthatweneedtogeneratearound1500honionstocoverallHSDirswith0.95probability.Weused1500honionsperbatch(daily,weekly,ormonthly)andcouldverifythat95%oftheHSDirsweresystematicallycovered.Figure1,depictsthearchitectureofoursystem.
Figure1 Figure2
Intotal,wedetectedatleast110maliciousHSDirs,andabout40000visits.Morethan70%oftheseHSDirsarehostedonCloudinfrastructure.Around25%areexitnodesascomparedtotheaverage,15%ofallrelaysin2016,thathaveboththeHSDirandtheExitflags.Thiscanbeinterestingforfurtherinvestigation,sinceitisknownthatsomeExitnodesaremaliciousandactivelyinterferewithusers’trafficandperformactiveMITMattacks.Furthermore,20%ofthemisbehavingHSDirsare,bothexitnodesandarehostedonCloudsystems,hostedinEuropeandNorthernAmerica.Thetop5countriesare,USA,Germany,France,UK,andNetherlands.Figure2,depictsthegeolocationmapofidentifiedmaliciousHSDirs.Mostofthevisitswerejustqueryingtherootpathoftheserverandwereautomated.However,weidentifiedlessthan20possiblemanualprobing.Additionally,wedetectedotherattackvectors,suchasSQLinjection,usernameenumeration,crosssitescripting(XSS),andpathtraversal.
References[1]A.SanatiniaandG.Noubir, "HoneyOnions:aFramework forCharacterizingand IdentifyingMisbehavingTorHSDirs,"inIEEEConferenceonCommunicationsandNetworkSecurity(CNS),2016
1. Generate honions
hoi
hoj
2. Place honions on HSDirs3. Build bipartite graph
On visit, mark potential HSDirs
hoj
di
di+2
di+1
di
di+1
di+2
On visit, add to bipartite graph
• Tor is a practical privacy infrastructure
• Tor’s security relies on the honest behavior of relays
• Tor clearly states HSDirs should not snoop on onion services
• The behavior of HSDirs has not been studied
• Question: How to detect the snooping HSDirs and estimate a lower bound on them?
• Malicious HSDirs have different level of sophistication• More than 100 snooping HSDirs over the period of 72 days• Logged about 40000 visits to the honions• Wide range of probing, SQL injection, XSS, user enumeration• Some delay visits to avoid detection as a tradeoff• More than half of the malicious relays are hosted on cloud• Some cloud providers accept bitcoins as payment• These privacy infrastructures make the tracking
more difficult
A Sanatinia, G Noubir, "Honey Onions: a Framework for Characterizing and
Identifying Misbehaving Tor HSDirs”
IEEE Conference on Communications and Network Security (CNS), 2016
Problem Statement and Goals
Approach
Results
HOnions: Exposing Snooping Tor HSDirsAmirali Sanatinia
Northeastern University
1. Generate honions
hoi
hoj
2. Place honions on HSDirs3. Build bipartite graph
On visit, mark potential HSDirs
hoj
di
di+2
di+1
di
di+1
di+2
On visit, add to bipartite graph
Client
Hidden Service
IP
RP
HSDir
(1)
(2)(3)
(4)
(5)
(6)
(7)
• A framework to detect misbehaving Tor HSDir relays
• Each honion is a server program that logs visits
• Three schedules; daily, weekly, monthly (1500 per batch)
• Generate the bipartite graph of HSDirsand visited honions
• Identify the snooping HSDirs using the set cover problem
• NP-‐ Complete problem, Integer Linear Programming (ILP)