Abstract
Low-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by “local” adversaries who control only a few machines and have low enough delay to support anonymous use of network services like Web browsing and remote login. One consequence of these goals is that these services leak some information about the network latency between the sender and one or more nodes in the system. We present two attacks on low-latency anonymity schemes using this information. The first attack allows a pair of colluding Web sites to predict, based on local timing information and with no additional resources, whether two connections from the same Tor exit node are using the same circuit with high confidence. The second attack requires more resources but allows a malicious Web site to gain several bits of information about a client each time he visits the site. We evaluate both attacks against two low-latency anonymity protocols—the Tor network and the MultiProxy proxy aggregator service—and conclude that both are highly vulnerable to these attacks.
- 2008. TOR node status information. https://torstat.xenobite.edu/.Google Scholar
- Back, A., Möller, U., and Stiglic, A. 2001. Traffic analysis attacks and trade-offs in anonymity providing systems. In Proceedings of Information Hiding Workshop (IH'01). Springer-Verlag, Berlin, 245--257. Google ScholarDigital Library
- Blum, A., Song, D., and Venkataraman, S. 2004. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID'04). Springer, Berlin.Google Scholar
- Chaum, D. L. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Comm. ACM 24, 2, 84--88. Google ScholarDigital Library
- Chroboczek, J. 2003--2008. Polipo--A caching web proxy. http://www.pps.jussieu.fr/jch/software/polipo/.Google Scholar
- Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., and Bowman, M. 2003. PlanetLab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33, 3, 3--12. Google ScholarDigital Library
- Costa, M., Castro, M., Rowstron, A., and Key, P. 2004. PIC: Practical internet coordinates for distance estimation. In Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04). IEEE, Los Alamitos, CA, 178--187. Google ScholarDigital Library
- Dabek, F., Cox, R., Kaashoek, F., and Morris, R. 2004. Vivaldi: A decentralized network coordinate system. In Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM'04). ACM, New York, 15--26. Google ScholarDigital Library
- Danezis, G. 2003. Statistical disclosure attacks: Traffic confirmation in open environments. In Proceedings of Security and Privacy in the Age of Uncertainty (SEC'03). Kluwer, The Netherlands, 421--426.Google ScholarCross Ref
- Danezis, G., Dingledine, R., and Mathewson, N. 2003. Mixminion: Design of a type III anonymous remailer protocol. In Proceedings of the 2003 IEEE Symposium on Security and Privacy (SP'03). IEEE, Los Alamitos, CA, 2. Google ScholarDigital Library
- Díaz, C. and Serjantov, A. 2003. Generalizing mixes. In Proceedings of Privacy Enhancing Technologies Workshop (PET'03). Springer-Verlag, Berlin.Google Scholar
- Dingledine, R., Mathewson, N., and Syverson, P. F. 1999. Anonymity bibliography. http://freehaven.net/anonbib.Google Scholar
- Dingledine, R., Mathewson, N., and Syverson, P. F. 2004. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. USENIX, Berkeley, CA. Google ScholarDigital Library
- Fawcett, T. 2006. An introduction to ROC analysis. Pattern Recogn. Lett. 27, 8, 861--874. Google ScholarDigital Library
- Federrath, H. and Köpsell, S. 2006. JAP: Java anonymous proxy. http://anon.inf.tu-dresden.de/.Google Scholar
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. IETF RFC 2616: Hypertext transfer protocol -- HTTP/1.1. http://www.ietf.org/rfc/rfc2616.txt. Google ScholarDigital Library
- Gil, T. M., Kaashoek, F., Li, J., Morris, R., and Stribling, J. 2005. The “King” data set. http://pdos.csail.mit.edu/p2psim/kingdata/.Google Scholar
- Gueye, B., Ziviani, A., Crovella, M., and Fdida, S. 2006. Constraint-based geolocation of Internet hosts. IEEE/ACM Trans. Networking 14, 6, 1219--1232. Google ScholarDigital Library
- Gummadi, K. P., Saroiu, S., and Gribble, S. D. 2002. King: Estimating latency between arbitrary Internet end hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement. ACM, New York, 5--18. Google ScholarDigital Library
- Hintz, A. 2002. Fingerprinting Web sites using traffic analysis. In Proceedings of the Privacy Enhancing Technologies Workshop (PET'02). Springer-Verlag, Berlin. Google ScholarDigital Library
- Hopper, N., Vasserman, E. Y., and Chan-Tin, E. 2007. How much anonymity does network latency leak? In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York, 82--91. Google ScholarDigital Library
- jrandom. 2007. I2P. http://www.i2p.net/.Google Scholar
- Kesdogan, D., Egner, J., and Büschkes, R. 1998. Stop-and-go MIXes: Providing probabilistic anonymity in an open system. In Proceedings of the Information Hiding Workshop (IH'98). Springer-Verlag, Berlin.Google Scholar
- Ledlie, J., Gardner, P., and Seltzer, M. 2007. Network coordinates in the wild. In Proceedings of the 4th USENIX Symposium on Network Systems Design and Implementation (NSDI). USENIX, Berkeley, CA. Google ScholarDigital Library
- Mathewson, N. and Dingledine, R. 2004. Practical traffic analysis: Extending and resisting statistical disclosure. In Proceedings of the Privacy Enhancing Technologies Workshop (PET'04). Springer, Berlin, 17--34. Google ScholarDigital Library
- Moeller, U., Cottrell, L., Palfrader, P., and Sassaman, L. 2005. IETF draft: Mixmaster protocol version 2. http://www.ietf.org/internet-drafts/draft-sassaman-mixmaster-03. txt.Google Scholar
- Murdoch, S. J. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). ACM, New York. Google ScholarDigital Library
- Murdoch, S. J. and Danezis, G. 2005. Low-cost traffic analysis of Tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 183--195. Google ScholarDigital Library
- Ng, T. E. and Zhang, H. 2004. A network positioning system for the Internet. In Proceedings of the USENIX Conference. USENIX, Berkeley, CA. Google ScholarDigital Library
- Oikarinen, J. and Reed, D. 1993. IETF RFC 1459: Internet relay chat protocol. http://www. ietf.org/rfc/rfc1459.txt. Google ScholarDigital Library
- Øverlier, L. and Syverson, P. 2006. Locating hidden servers. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP'06). IEEE, Los Alamitos, CA, 100--114. Google ScholarDigital Library
- Panchenko, D. 2006. Lecture Notes of 18.443, Statistics for Applications. MIT Open Courseware Projec. http://ocw.mit.edu/OcwWeb/Mathematics/18-443Fall-2006/CourseHome/index.htm.Google Scholar
- Reiter, M. K. and Rubin, A. D. 1998. Crowds: Anonymity for Web transactions. ACM Trans. Inf. Syst. Secur. 1, 1, 66--92. Google ScholarDigital Library
- Rennhard, M. and Plattner, B. 2002. Introducing MorphMix: Peer-to-peer based anonymous Internet usage with collusion detection. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society. ACM, New York, 91--102. Google ScholarDigital Library
- Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. 2002. SIP: Session initiation protocol. IETF RFC 3261. http://tools.ietf.org/html/rfc3261. Google ScholarDigital Library
- Serjantov, A. and Sewell, P. 2003. Passive attack analysis for connection-based anonymity systems. In Proceedings of 8th European Symposium on Research in Computer Security (ESORICS'03). Springer, Berlin.Google Scholar
- Spring, N., Wetherall, D., and Anderson, T. 2003. Scriptroute: A public Internet measure-ment facility. In Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS). USENIX, Berkeley, CA, 225--238. Google ScholarDigital Library
- Syverson, P., Tsudik, G., Reed, M., and Landwehr, C. 2000. Towards an analysis of onion routing security. In Proceedings of the Workshop on Design Issues in Anonymity and Unobservability. Springer-Verlag, Berlin, 96--114. Google ScholarDigital Library
- Wong, B., Stoyanov, I., and Sirer, E. G. 2006. Geolocalization on the Internet through constraint satisfaction. In Proceedings of the USENIX Workshop on Real, Large, Distributed Systems. USENIX, Berkeley, CA. Google ScholarDigital Library
- Wright, M., Adler, M., Levine, B. N., and Shields, C. 2003. Defending anonymous communication against passive logging attacks. In Proceedings of the 2003 IEEE Symposium on Security and Privacy. IEEE, Los Alamtios, CA. Google ScholarDigital Library
Index Terms
- How much anonymity does network latency leak?
Recommendations
How much anonymity does network latency leak?
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityLow-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by "local" adversaries who control only a few machines, and have low enough delay to support anonymous use of ...
k-anonymity: a model for protecting privacy
Consider a data holder, such as a hospital or a bank, that has a privately held collection of person-specific, field structured data. Suppose the data holder wants to share a version of the data with researchers. How can a data holder release a version ...
Comments