HOnions: Exposing Snooping Tor HSDirs - RSA Conference · HOnions: Exposing Snooping Tor HSDirs...
2
HOnions: Exposing Snooping Tor HSDirs Amirali Sanatinia, Northeastern University In the last decade, Tor proved to be a very successful and widely popular system to protect users’ anonymity. However, Tor remains a practical system with a variety of limitations, some of which were indeed exploited in the recent past. Tor’s security relies on the fact that a substantial number of its nodes do not misbehave. In this work, we introduce, the concept of honey onions, a framework to detect misbehaving Tor relays with HSDir capability. This allows to obtain lower bounds on misbehavior among relays. We propose algorithms to both estimate the number of snooping HSDirs and identify the most likely snoopers. Our experimental results indicate that during the period of the study (72 days) at least 110 such nodes were snooping information about hidden services they host. We reveal that more than half of them were hosted on cloud infrastructure and delayed the use of the learned information to prevent easy traceback. We introduce the concept of honey onions (honions) [1], to expose when a Tor relay with HSDir capability has been modified to snoop into the hidden services that it currently hosts. To automate the process of generating and deploying honions in a way that they cover a significant fraction of HSDirs, we developed several tools. A key constraint in this process was to minimize the number of deployed honions. This derives primarily from our desire to not impact the Tor statistics about hidden services (particularly given the recent surge anomaly). By considering the number of HSDirs (approximately 3000), we could infer that we need to generate around 1500 honions to cover all HSDirs with 0.95 probability. We used 1500 honions per batch (daily, weekly, or monthly) and could verify that 95% of the HSDirs were systematically covered. Figure 1, depicts the architecture of our system. Figure 1 Figure 2 In total, we detected at least 110 malicious HSDirs, and about 40000 visits. More than 70% of these HSDirs are hosted on Cloud infrastructure. Around 25% are exit nodes as compared to the average, 15% of all relays in 2016, that have both the HSDir and the Exit flags. This can be interesting for further investigation, since it is known that some Exit nodes are malicious and actively interfere with users’ traffic and perform active MITM attacks. Furthermore, 20% of the misbehaving HSDirs are, both exit nodes and are hosted on Cloud systems, hosted in Europe and Northern America. The top 5 countries are, USA, Germany, France, UK, and Netherlands. Figure 2, depicts the geolocation map of identified malicious HSDirs. Most of the visits were just querying the root path of the server and were automated. However, we identified less than 20 possible manual probing. Additionally, we detected other attack vectors, such as SQL injection, username enumeration, cross site scripting (XSS), and path traversal. References [1] A. Sanatinia and G. Noubir, "Honey Onions: a Framework for Characterizing and Identifying Misbehaving Tor HSDirs," in IEEE Conference on Communications and Network Security (CNS), 2016 1. Generate honions ho i ho j 2. Place honions on HSDirs 3. Build bipartite graph On visit, mark potential HSDirs ho j d i d i+2 d i+1 d i d i+1 d i+2 On visit, add to bipartite graph
Transcript of HOnions: Exposing Snooping Tor HSDirs - RSA Conference · HOnions: Exposing Snooping Tor HSDirs...
HOnions:ExposingSnoopingTorHSDirsAmiraliSanatinia,NortheasternUniversityIn the last decade, Tor proved to be a very successful and widely popular system to protect users’anonymity.However,Torremainsapracticalsystemwithavarietyof limitations,someofwhichwereindeedexploitedintherecentpast.Tor’ssecurityreliesonthefactthatasubstantialnumberofitsnodesdo notmisbehave. In this work, we introduce, the concept of honey onions, a framework to detectmisbehavingTorrelayswithHSDircapability.Thisallowstoobtainlowerboundsonmisbehavioramongrelays.WeproposealgorithmstobothestimatethenumberofsnoopingHSDirsand identifythemostlikelysnoopers.Ourexperimentalresultsindicatethatduringtheperiodofthestudy(72days)atleast110suchnodesweresnoopinginformationabouthiddenservicestheyhost.Werevealthatmorethanhalf of themwere hosted on cloud infrastructure and delayed the use of the learned information topreventeasytraceback.Weintroducetheconceptofhoneyonions(honions)[1],toexposewhenaTorrelaywithHSDircapabilityhasbeenmodifiedtosnoopintothehiddenservicesthatitcurrentlyhosts.ToautomatetheprocessofgeneratinganddeployinghonionsinawaythattheycoverasignificantfractionofHSDirs,wedevelopedseveral tools.A key constraint in thisprocesswas tominimize thenumberofdeployedhonions. ThisderivesprimarilyfromourdesiretonotimpacttheTorstatisticsabouthiddenservices(particularlygiventherecentsurgeanomaly).ByconsideringthenumberofHSDirs(approximately3000),wecouldinferthatweneedtogeneratearound1500honionstocoverallHSDirswith0.95probability.Weused1500honionsperbatch(daily,weekly,ormonthly)andcouldverifythat95%oftheHSDirsweresystematicallycovered.Figure1,depictsthearchitectureofoursystem.
Figure1 Figure2
Intotal,wedetectedatleast110maliciousHSDirs,andabout40000visits.Morethan70%oftheseHSDirsarehostedonCloudinfrastructure.Around25%areexitnodesascomparedtotheaverage,15%ofallrelaysin2016,thathaveboththeHSDirandtheExitflags.Thiscanbeinterestingforfurtherinvestigation,sinceitisknownthatsomeExitnodesaremaliciousandactivelyinterferewithusers’trafficandperformactiveMITMattacks.Furthermore,20%ofthemisbehavingHSDirsare,bothexitnodesandarehostedonCloudsystems,hostedinEuropeandNorthernAmerica.Thetop5countriesare,USA,Germany,France,UK,andNetherlands.Figure2,depictsthegeolocationmapofidentifiedmaliciousHSDirs.Mostofthevisitswerejustqueryingtherootpathoftheserverandwereautomated.However,weidentifiedlessthan20possiblemanualprobing.Additionally,wedetectedotherattackvectors,suchasSQLinjection,usernameenumeration,crosssitescripting(XSS),andpathtraversal.
References[1]A.SanatiniaandG.Noubir, "HoneyOnions:aFramework forCharacterizingand IdentifyingMisbehavingTorHSDirs,"inIEEEConferenceonCommunicationsandNetworkSecurity(CNS),2016
1. Generate honions
hoi
hoj
2. Place honions on HSDirs3. Build bipartite graph
On visit, mark potential HSDirs
hoj
di
di+2
di+1
di
di+1
di+2
On visit, add to bipartite graph
• Tor is a practical privacy infrastructure
• Tor’s security relies on the honest behavior of relays
• Tor clearly states HSDirs should not snoop on onion services
• The behavior of HSDirs has not been studied
• Question: How to detect the snooping HSDirs and estimate a lower bound on them?
• Malicious HSDirs have different level of sophistication• More than 100 snooping HSDirs over the period of 72 days• Logged about 40000 visits to the honions• Wide range of probing, SQL injection, XSS, user enumeration• Some delay visits to avoid detection as a tradeoff• More than half of the malicious relays are hosted on cloud• Some cloud providers accept bitcoins as payment• These privacy infrastructures make the tracking
more difficult
A Sanatinia, G Noubir, "Honey Onions: a Framework for Characterizing and
Identifying Misbehaving Tor HSDirs”
IEEE Conference on Communications and Network Security (CNS), 2016
Problem Statement and Goals
Approach
Results
HOnions: Exposing Snooping Tor HSDirsAmirali Sanatinia
Northeastern University
1. Generate honions
hoi
hoj
2. Place honions on HSDirs3. Build bipartite graph
On visit, mark potential HSDirs
hoj
di
di+2
di+1
di
di+1
di+2
On visit, add to bipartite graph
Client
Hidden Service
IP
RP
HSDir
(1)
(2)(3)
(4)
(5)
(6)
(7)
• A framework to detect misbehaving Tor HSDir relays
• Each honion is a server program that logs visits
• Three schedules; daily, weekly, monthly (1500 per batch)
• Generate the bipartite graph of HSDirsand visited honions
• Identify the snooping HSDirs using the set cover problem
• NP-‐ Complete problem, Integer Linear Programming (ILP)
