Upload File

exposing snooping in tor by hsdir relays · 2016-10-12 · 1. generate honions ho i ho j 3. build...

  • Home
  • Documents
  • Exposing Snooping in Tor by HSDir Relays · 2016-10-12 · 1. Generate honions ho i ho j 3. Build bipartite graph 2. Place honions on HSDirs On visit, mark potential HSDirs ho j d
1
Motivation Tor’s security relies on the honest behavior of relays Tor clearly states HSDirs should not snoop on onion services The behavior of HSDirs has not been studied Question: How to detect the snooping HSDirs and estimate a lower bound on them? Amirali Sanatinia , Guevara Noubir Northeastern University References 1) A. Sanatinia, G. Noubir, “Honey Onions: a Framework for Characterizing and Identifying Misbehaving Tor HSDirs”, IEEE Conference on Communications and Network Security (CNS), 2016 2) P. Winter, R. Kower, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, E. Weippl, “Spoiled Onions: Exposing Malicious Tor Exit Relays”, Privacy Enhancing Technologies Symposium (PETS), 2015 A typical graph representation of the visited honions, and the hosting HSDirs. Tor Provides anonymity and privacy for users Hidden Services protect the anonymity of the servers 1. Generate honions ho i ho j 2. Place honions on HSDirs 3. Build bipartite graph On visit, mark potential HSDirs ho j d i d i+2 d i+1 d i d i+1 d i+2 On visit, add to bipartite graph The global map of detected misbehaving HSDirs and their most likely geographic origin. Exposing Snooping in Tor by HSDir Relays Honey Onions (HOnions) A framework to detect misbehaving Tor HSDir relays Each honion is a server program that logs visits Three schedules; daily, weekly, monthly (1500 per batch) Generate the bipartite graph of HSDirs and visited honions Identify the snooping HSDirs using the set cover problem NP- Complete problem Integer Linear Programming (ILP) Client Hidden Service IP RP HSDir (1) (2) (3) (4) (5) (6) (7) Flow diagram of the honion system. When a visit happens to one of the honions, after identifying the potential suspicious HSDirs, we add them to the bipartite graph. Hidden Services architecture. Results Identified more than 100 snooping HSDirs over the period of 72 days Logged about 40000 visits to the honions Wide range of probing, SQL injection, XSS, user enumeration, etc. More than 70% of the snoopers hosted on cloud, 25% were also exit nodes Top countries: USA, Germany, France, United Kingdom, and Netherlands The snoopers have adapted their techniques and increased their sophistication Conclusion and Future Work Malicious HSDirs have different level of sophistication Some delay visits to avoid detection as a tradeoff More than half of the misbehaving relays are hosted on cloud Some cloud providers accept bitcoins as payment These privacy infrastructures make the tracking more difficult The new trend of visits. The snoopers are delaying their visits to avoid identification.

Upload: others

Post on 23-May-2020

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Exposing Snooping in Tor by HSDir Relays · 2016-10-12 · 1. Generate honions ho i ho j 3. Build bipartite graph 2. Place honions on HSDirs On visit, mark potential HSDirs ho j d

Motivation• Tor’s security relies on the honest behavior of relays• Tor clearly states HSDirs should not snoop on onion services• The behavior of HSDirs has not been studied

Question: How to detect the snooping HSDirs and estimate a lower bound on them?

Amirali Sanatinia, Guevara NoubirNortheastern University

References1) A. Sanatinia, G. Noubir, “Honey Onions: a Framework for Characterizing and Identifying Misbehaving Tor

HSDirs”, IEEE Conference on Communications and Network Security (CNS), 20162) P. Winter, R. Kower, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, E. Weippl, “Spoiled Onions:

Exposing Malicious Tor Exit Relays”, Privacy Enhancing Technologies Symposium (PETS), 2015

Atypicalgraphrepresentationofthevisitedhonions,andthehostingHSDirs.

Tor• Provides anonymity and privacy for users• Hidden Services protect the anonymity of the servers

1. Generate honions

hoi

hoj

2. Place honions on HSDirs3. Build bipartite graph

On visit, mark potential HSDirs

hoj

di

di+2

di+1

di

di+1

di+2

On visit, add to bipartite graph

TheglobalmapofdetectedmisbehavingHSDirs andtheirmostlikelygeographicorigin.

Exposing Snooping in Tor by HSDir Relays

Honey Onions (HOnions)• A framework to detect misbehaving Tor HSDir relays• Each honion is a server program that logs visits• Three schedules; daily, weekly, monthly (1500 per batch)• Generate the bipartite graph of HSDirs and visited honions• Identify the snooping HSDirs using the set cover problem• NP- Complete problem• Integer Linear Programming (ILP)

Client

Hidden Service

IP

RP

HSDir

(1)

(2)(3)

(4)

(5)

(6)

(7)

Flowdiagramofthehonion system.Whenavisithappenstooneofthehonions,afteridentifyingthepotentialsuspiciousHSDirs,weaddthemtothebipartitegraph.

HiddenServicesarchitecture.

Results• Identified more than 100 snooping HSDirs over the period of 72 days• Logged about 40000 visits to the honions• Wide range of probing, SQL injection, XSS, user enumeration, etc.• More than 70% of the snoopers hosted on cloud, 25% were also exit nodes• Top countries: USA, Germany, France, United Kingdom, and Netherlands• The snoopers have adapted their techniques and increased their sophistication

Conclusion and Future Work•Malicious HSDirs have different level of sophistication• Some delay visits to avoid detection as a tradeoff•More than half of the misbehaving relays are hosted on cloud• Some cloud providers accept bitcoins as payment• These privacy infrastructures make the tracking more difficult

Thenewtrendofvisits.Thesnoopersaredelayingtheirvisitstoavoididentification.

A Ho-Ho-HolyNight

Santa Ho Ho

Ho Ho Ho Happy Holidays! - Workspace - Imperial College London

HOnions: Exposing Snooping Tor HSDirs - RSA Conference · HOnions: Exposing Snooping Tor HSDirs Amirali Sanatinia, Northeastern University In the last decade, Tor proved to be a very

Holy, Holy, Holy John B. Dykes - Amazing Factsmanna.amazingfacts.org/.../Holy-Holy-Holy.pdf · Holy, Holy, Holy-ly,-ly,-ly,-ly, Bm ho ho ho ho-ly,-ly,-ly,-ly, A ho ho ho ho D - ly!

LPP Happy Day Everyday lyrics - Yancy€¦ · So clap your hands And wave your arms Play the drums Then rock the guitar Hosanna Ho, ho hosanna Hosanna Ho, ho hosanna Hosanna Ho, ho

Kal ho na ho screen grabs

HOPPING AROUND FROM PLACE TO PLACEfolkways-media.si.edu/liner_notes/smithsonian_folkways_special/SFS... · yo ho ho tra la la la yo ho ho tra la la la yo ho tra la la la yo ho ho

Ho Ho Ho Merry Christmas€¦ · Ho Ho Ho Merry Christmas Reindeer Lane • The North Pole r r r r. Title: Free-Santa-Letter-©LivingLocurto Author: Amy Locurto Subject: Free Printable

BOROUGH OF HO-HO-KUS3CE9DD32-C41A-4F77-920B... · Borough of Ho-Ho-Kus Master Plan Update 2013 Prepared by the Ho-Ho-Kus Planning Board and Burgis Associates, Inc. 3 COMMUNITY PLANNING

Ho Ho Ho} :D Magazine 2nd : August 2010

"Ho-Ho-Ho, Help Me, Its the Holidays! Dealing with the Stress!"

Ho, ho, Watanay Ho, ho, Watanay Ho, ho, Watanay Ki-yo-ki-na Ki-yo-ki-na Let us begin with a song…

Ho Ho Parade Route

Experience the frenzy of the holidays with the HO! HO! HO

Kerala Post | Home · 2017. 1. 15. · APM, Kannur HO APM, Koliam HO APMSB), Olavakkot HO SPM, Panoor APM, Calicut HO APM, Calicut HO DPM(SB), Tiruvalla HO APM, Poojapura HO ... RTA

HOBART 600 OVER 1200 $ 4830.00 HO - 1 599 Merged with HO ... · HO - 21 485 NO ACTION - BOUNDARIES/SIZE L HO - 22 592 Merged with HO- 17= 1142 Voters HO -23 531 Merged with HO - 12

4-HO-MiPT, Buy 4-HO-MiPT, 4-HO-MiPT supplier

Understanding Tor Usage with Privacy-Preserving …...or “HSDirs”). The DHT is indexed by the descriptor ID, which is derived from the public key. The address of the service is

BOROUGH OF HO-HO-KUSho-ho-kusboro.com/vertical/sites/{3CE9DD32-C41A-4F77-920B...Borough of Ho-Ho-Kus Master Plan Update 2013 Prepared by the Ho-Ho-Kus Planning Board and Burgis Associates,

12 Favorite Christmas Songs · 2020. 11. 11. · Christmas joys Ho Ho Ho Who wouldn’t go Ho Ho Ho Who wouldn’t go Up on the housetop Click Click Click Down thru the chimney With

Cellulose Based Hydrogels and Absorbentsbiorefinery.utk.edu/.../Siam_Paper_Tying_Cellulose_Whiskers_Lee.pdf · HO OH OH OH OH O HO O HOO O HO O HO O O O O O O O O O HO HO HO O O OH

Ho Ho Ho Heroes Bash Ue

Ho-Ho-Ho! - Faithfully Gluten Free€¦ · Page 1 of 85 All Recipes Courtesy Jeanine Friesen ©2013 - TheBakingBeauties.com Recipes are to be used for personal use only. Ho-Ho-Ho!

Phytochemical Composition and Chronic Hypoglycemic …Evidence-BasedComplementaryandAlternativeMedicine HO OH O O OH R O O HO OH OH HO O OH O O OH OH O O O O OH HO OH OH HO HO HO O

Jiun Ho , , , Jiun Ho Jiun rJiun Ho , Jiun , Jiun , (Began ...jiunho.com/uploads/cms/posts/documents/2d32cc7... · Jiun Ho , , , Jiun Ho Jiun rJiun Ho , Jiun , Jiun , (Began) (415)

Ho, ho, Watanay Ho, ho, Watanay Ho, ho, Watanay Ki-yo-ki-na Ki-yo-ki-na

wvguitarclub.weebly.com · KUNG Bm7 hoo. Bm7 FIGHTING Oh Oh Words and Music by CARL DOUGLAS Em7 hoo. Em7 hoo. Those cats were ho ho ho ho ho Oh ho ho ho hoo. Modera tely Ev-'ry-bod-y

How To Incorporate Bilingual Mass · ria. est. est. Ho Ho - Ho--œ. œj œjœ œj san san san na, na, na, ho ho ho san san san j œ œ.

Merry ChristMas! · Merry Christmas to all… HO HO HO… STMAS

Me N HO HO OH - Europa

Mise en page 1 - biolovision.netfiles.biolovision.net/ · S M/HO M/HO MR M/HO SR MO MO HO SR M/HO MR/HO M/HO M/HO M/HR M/HPC MC/HPC M/HO STC M/HO MR/HO Statut migr./hiv. 2000-2014

From the Gavel, 2012 “HO HO HO” - VE3MIS · 2012-12-12 · VE3MIS/VE3RCX Volume 15.12 - Page 1 of 8 December, 2012 27 Years, in the making From the Gavel, 2012 “HO HO HO”

Ho! Ho! Ho! There’s a on Our Roof Eating Christmas …...Ho! Ho! Ho! There’s a Hippopotamus on Our Roof Eating Christmas Cake Edwards • Niland Share all the joy and fun of preparing

P ersonality Development Seminar ha Ha ha ho Ha ho ha ho