-
MeasuringandMitigatingAS-levelAdversariesAgainstTor
RishabNithyanand
OleksiiStarov
PhillipaGill
MichaelSchapira
AdvaZair
-
Network-levelTrafficCorrelationAttacks
Source
Entry Exit
ASRouter
Des0na0on
Internetrou,ngisasymmetric.Source->Entry!=Entry->Source
RAPTOR(USENIXSecurity2015):AnyASon(SourceàEntryOREntryàSource)AND(ExitàDestORDestàExit)
isinaposi,ontolaunchatrafficcorrela,onaMack
-
MeasuringNetwork-levelAdversaries
Goal:Quan,fythethreatfromnetwork-leveladversaries
Approach:Iden,fyASesonA,B,C,andD• ADV={(𝐴 ∪𝐵) ∩(𝐶 ∪𝐷)}
Challenge:TraceroutesonlyletusobtainA
Source Des0na0onEntry Exit
A C
B D
-
MeasuringNetwork-levelAdversariesOurApproach:Sphericalcows!•
Makeassump,onsaboutInternetrou,ng.•
ObtainapproximateAS-levelpaths.
Approxima0ngASesonapath(offline):•
ASTopology:36KASes+126Krela,onships•
Useinter-ASrela,onships(customer,peer,provider)todecidewhetheranASwillrouteviaanother•
Rou,ngthroughcustomers>peers>providers,thenprefershortestpaths
• Iftherearemul,pleop,ons,weconsiderallofthem•
(seepaperforvalida,on)
-
MeasuringNetwork-levelAdversaries
10Countries:BR,CN,DE,ES,FR,GB,IR,IT,RU,US200websites/country:LocalAlexaT-100+100Ci,zenLabsensi,vepagesAdversaries:Network-level,colludingnetwork-level(seepaper),andstate-level
-
MeasuringNetwork-levelAdversaries
0
20
40
60
80
100
BR CN DE ES FR GB IR IT RU US All
Web
site
s At
tack
ed (%
)
Country
Main circuit Any circuit
Frac0o
nofweb
sitesw
ith
vulnerab
lecirc
uits
HowvulnerableisvanillaTor?MainCircuit:Circuitcarryingfirst“GET”requestisvulnerableAnyCircuit:Circuitcarryinganyrequestisvulnerable
Network-levelAdversary
Frac0o
nofweb
sitesw
ith
vulnerab
lecirc
uits
State-levelAdversary
0 20 40 60 80
100
BR CN DE ES FR GB IR IT RU US AllWeb
site
s A
ttac
ked
(%)
Country
Main circuit Any circuit
-
MeasuringNetwork-levelAdversaries
CanAS-awarerelayselec0onhelp?•
>20000(source,des,na,on)ASpairsineachcountry•
Consider1000*1000available(entry,exit)pairs•
Whatfrac0onofthe20000(source,des0na0on)pairshaveat
mostx%oftheir1million(entry,exit)pairssafefromnetwork-levelthreats?
BAD
GOOD
YES!
-
Astoria:ThisAS-awareTorclientisalright
1.Convert(source,des,na,on)IPstoASNs
2.Compute“safe-op,ons”fromall|entry-guard|*|legal-exits|op,ons
3.Selectoneofthe“safe-op,ons”4.Constructandusecircuit
MeasurementToolkit
IP-ASNDatabase
OFFLINE
Whatiftherearenosafeop0ons?AstoriausesanLPtominimizenumberofcircuitsthatarevulnerabletoanysingleadversary.(seepaper)
-
Astoria:SecurityEvaluation
Network-levelAdversary
any:53%->8%main:37%->3%
State-levelAdversary
any:88%->34%main:82%->27%
-
Astoria:PerformanceEvaluation
Page-load0mesTor:5.9sec
Astoria:8.3secUniform:15.6sec
LoadbalancingSimilartoTor*
0
0.2
0.4
0.6
0.8
1
0 5 10 15 20 25 30
Cum
ulat
ive
Prob
abili
ty
Page Load Time (sec)
AstoriaVanilla Tor
Uniform Tor
0
0.2
0.4
0.6
0.8
1
0 2 4 6 8 10 12 14
Cum
ulat
ive
Prob
abili
ty
Relay Bandwidth (MB/s)
Available relaysPerfect load balancing client
AstoriaVanilla Tor
Uniform Tor
-
Conclusions•
Offlinepath-predic,ontoolkittomeasureTorvulnerability•
SignificantlybeMersecurityagainstnetwork-leveladversaries•
Cutsnumberofvulnerablewebsitestolessthan1/4th•
Effec,velydealswithworst-casesitua,ons
• Loadbalancing:SimilartoTor•
Page-load,mes:BeMerthanuniform,worsethanTor•
Mainproblem:Cannotpre-buildcircuitslikeTor
• Arguablyweakeragainstrelay-leveladversaries(seepaper)
