Anonymous networks and timing attacks: Low-cost attack
Introduction | Tor | Tarzan and MorphMix | Low-cost attack | Low-cost attack on Tarzan and Morphmix | Principles of building secure systems (conclusion)
In this section, we will look at the Low Cost Attack 8 on Tor, described in (Murdoch & Danezis 2005). The term low-cost attack means that for an attacker to succeed, it is enough to be able to observe only part of the network, for example, to be one of the Tor nodes. Murdoch and Danesis showed Tor's vulnerability for some timing-attack option that does not go beyond the threat model. They refuted the claim that anonymity in Tor could not be violated without the help of a global passive observer.
The main idea is to use the seemingly inevitable restriction of all anonymizing systems with low latency - time. The purpose of the attack is to determine which nodes are currently used to organize Tor chains. If successful, it will hit hard on the anonymizing properties of Tor. The authors confirm the theoretical calculations with the results of real experiments. At the end, they conclude that all anonymizing networks with low latencies are subject to attack, including Tarzan and MorphMix.
')
The attack is based on the fact that systems with low delays cannot afford to introduce any delays into the stream. Thus, the temporal characteristics (timing pattern) of packets are maintained throughout the chain. The attack was made possible by the fact that the Tor developers found it incredible that a global passive observer appeared on the network. This situation was not considered and was not part of the threat model. However, the low-cost attack revealed the fallacy of the developers' judgment and showed that Tor is still vulnerable to some variants of timing attacks.
Indeed, the attacker does not see all the connections in the network. But nothing prevents him from acting as one of the Tor nodes and measuring the delays between himself and all the other nodes. By knowing these delays, you can indirectly estimate the amount of traffic that each node transmits at each time point. Further, knowing the pattern of the distribution of traffic over time for all the catch of the network, it is possible, using the technique (Danezis 2004), to build fairly good guesses about which nodes transmit traffic with the same characteristics. In other words, identify anonymizing chains.
The Tor architecture promotes attack. The Tor node allocates a separate buffer for each connection, and buffers are processed in round robin fashion mode * . If there is no stream in the buffer, it is ignored, processing of the next buffer begins. Note that for performance reasons, the blend has been removed. That way
For a successful attack, an attacker just needs to be one of the clients of the Tor network. Such a node is called a malicious node or a probe (node).
The main stages of the attack:
The attack will be even more effective if the attacker controls the server to which the Tor user connects. Since in this case there is no need to identify the traffic pattern - the attacker himself can modify the traffic so that it is easy to detect. Purpose of the attack: to detect the path between the victim's client node and the captured server. This will reduce the anonymizing ability of the system to the level of a normal proxy. As a result, the authors conclude that the attack will be effective for all anonymizing systems with low latency systems, including Tarzan and MorphMix.
In the next section, we check this statement and show that it is true only if certain conditions are met. Figure 5 shows the attack model, and Table 6 shows its algorithm.
Figure 4. Model of low-cost timing-attack on Tor.
Figure 5. Algorithm of low-cost attack.
Translator's Note
8 "Low-cost attack" in this context is a proper name.
* What is round robin fashion, see in the introduction .
In this section, we will look at the Low Cost Attack 8 on Tor, described in (Murdoch & Danezis 2005). The term low-cost attack means that for an attacker to succeed, it is enough to be able to observe only part of the network, for example, to be one of the Tor nodes. Murdoch and Danesis showed Tor's vulnerability for some timing-attack option that does not go beyond the threat model. They refuted the claim that anonymity in Tor could not be violated without the help of a global passive observer.
The main idea is to use the seemingly inevitable restriction of all anonymizing systems with low latency - time. The purpose of the attack is to determine which nodes are currently used to organize Tor chains. If successful, it will hit hard on the anonymizing properties of Tor. The authors confirm the theoretical calculations with the results of real experiments. At the end, they conclude that all anonymizing networks with low latencies are subject to attack, including Tarzan and MorphMix.
')
Idea attack
The attack is based on the fact that systems with low delays cannot afford to introduce any delays into the stream. Thus, the temporal characteristics (timing pattern) of packets are maintained throughout the chain. The attack was made possible by the fact that the Tor developers found it incredible that a global passive observer appeared on the network. This situation was not considered and was not part of the threat model. However, the low-cost attack revealed the fallacy of the developers' judgment and showed that Tor is still vulnerable to some variants of timing attacks.
Indeed, the attacker does not see all the connections in the network. But nothing prevents him from acting as one of the Tor nodes and measuring the delays between himself and all the other nodes. By knowing these delays, you can indirectly estimate the amount of traffic that each node transmits at each time point. Further, knowing the pattern of the distribution of traffic over time for all the catch of the network, it is possible, using the technique (Danezis 2004), to build fairly good guesses about which nodes transmit traffic with the same characteristics. In other words, identify anonymizing chains.
The Tor architecture promotes attack. The Tor node allocates a separate buffer for each connection, and buffers are processed in round robin fashion mode * . If there is no stream in the buffer, it is ignored, processing of the next buffer begins. Note that for performance reasons, the blend has been removed. That way
- when a new connection is established;
- or deletes an existing connection;
- or when traffic changes in the current connection
Attack participants
For a successful attack, an attacker just needs to be one of the clients of the Tor network. Such a node is called a malicious node or a probe (node).
Attack model
The main stages of the attack:
- The malicious Tor node establishes connections with other Tor nodes to measure delays in these connections.
- A malicious Tor node monitors delays in all these connections for some time.
- Measurements of delays are used to estimate the volume of traffic transmitted by each Tor node (traffic loads on Tor nodes) with which the malicious node has a connection.
- Based on knowledge of traffic volumes, traffic patterns are displayed.
- When an attacker knows the traffic patterns of all nodes, he can execute an attack (Danezis 2004, Levine et al. 2004).
The attack will be even more effective if the attacker controls the server to which the Tor user connects. Since in this case there is no need to identify the traffic pattern - the attacker himself can modify the traffic so that it is easy to detect. Purpose of the attack: to detect the path between the victim's client node and the captured server. This will reduce the anonymizing ability of the system to the level of a normal proxy. As a result, the authors conclude that the attack will be effective for all anonymizing systems with low latency systems, including Tarzan and MorphMix.
In the next section, we check this statement and show that it is true only if certain conditions are met. Figure 5 shows the attack model, and Table 6 shows its algorithm.
Figure 4. Model of low-cost timing-attack on Tor.
Figure 5. Algorithm of low-cost attack.
Translator's Note
8 "Low-cost attack" in this context is a proper name.
* What is round robin fashion, see in the introduction .
Source: https://habr.com/ru/post/121078/
All Articles