Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2011: Recent Advances in Intrusion Detection pp 222–241Cite as

Detecting Traffic Snooping in Tor Using Decoys

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6961))

Abstract

Anonymous communication networks like Tor partially protect the confidentiality of their users’ traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination.

We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anonymizer, Inc., http://www.anonymizer.com/

  2. Anonymouse, http://anonymouse.org/

  3. Inside Net Neutrality: Is your ISP filtering content?, http://www.macworld.com/article/132075/2008/02/netneutrality1.html

  4. Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise, http://www.wired.com/politics/security/news/2007/09/embassy_hacks

  5. Tor Metrics Portal, http://metrics.torproject.org/

  6. Tor Path Specification, https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=path-spec.txt

  7. Bennett, K., Grothoff, C.: GAP - practical anonymous networking. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 141–160. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting Inside Attackers Using Decoy Documents. In: Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm), pp. 51–70 (September 2009)

    Google Scholar 

  9. Bowen, B.M., Kemerlis, V.P., Prabhu, P., Keromytis, A.D., Stolfo, S.J.: Automating the injection of believable decoys to detect snooping. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 81–86 (2010)

    Google Scholar 

  10. Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. IEEE Security and Privacy 7, 22–29 (2009)

    Article  Google Scholar 

  11. Chaum, D.L.: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM 24(2), 84–90 (1981)

    Article  Google Scholar 

  12. Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: A Type III Anonymous Remailer, http://mixminion.net/

  13. Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003), http://portal.acm.org/citation.cfm?id=1765299.1765304

    Chapter  Google Scholar 

  14. Dingledine, R., Mathewson, N., Syverson, P.: Onion Routing, http://www.onion-router.net/

  15. Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proceedings of the 13th USENIX Security Symposium), pp. 303–319 (August 2004)

    Google Scholar 

  16. Firesheep, http://codebutler.com/firesheep

  17. The Honeynet Project, http://www.honeynet.org/

  18. Isdal, T., Piatek, M., Krishnamurthy, A., Anderson, T.: Privacy-preserving P2P data sharing with oneswarm. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pp. 111–122 (2010)

    Google Scholar 

  19. JAP, http://anon.inf.tu-dresden.de/

  20. McCanne, S., Leres, C., Jacobson, V.: Tcpdump and Libpcap, http://www.tcpdump.org/

  21. Mccoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.: Shining light in dark places: Understanding the tor network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  22. Mulazzani, M., Huber, M., Weippl, E.R.: Tor HTTP usage and information leakage. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 245–255. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  23. Nikiforakis, N., Younan, Y., Joosen, W.: Hproxy: client-side detection of ssl stripping attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  24. Øverlier, L., Syverson, P.: Locating hidden servers. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)

    Google Scholar 

  25. Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (August 2004)

    Google Scholar 

  26. Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 66–92 (1998)

    Article  Google Scholar 

  27. Sidiroglou, S., Stavrou, A., Keromytis, A.: Mediated overlay services (MOSES): Network security as a composable service. In: 2007 IEEE, Sarnoff Symposium, (April 30 - May 2) pp. 1–7 (2007)

    Google Scholar 

  28. Song, D.: dsniff, http://www.monkey.org/~dugsong/dsniff/

  29. Spitzner, L.: Honeytokens: The Other Honeypot, http://www.symantec.com/connect/articles/honeytokens-other-honeypot

  30. Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, ACSAC (2003)

    Google Scholar 

  31. Stoll, C.: Stalking the wily hacker. Communications of the ACM 31(5), 484–497 (1988)

    Article  Google Scholar 

  32. Stoll, C.: The cuckoo’s egg: tracking a spy through the maze of computer espionage. Doubleday, New York, NY, USA (1989)

    Google Scholar 

  33. Team Furry: TOR exit-node doing MITM attacks, http://www.teamfurry.com/wordpress/2007/11/20/tor-exit-node-doing-mitm-attacks/

  34. Weaver, N., Sommer, R., Paxson, V.: Detecting forged tcp reset packets. In: Proceedings of the 16th Network and Distributed System Security Symposium, NDSS (2009)

    Google Scholar 

  35. Wright, M.K., Adler, M., Levine, B.N., Shields, C.: An analysis of the degradation of anonymous protocols. In: Proceedings of the Network and Distributed Security Symposium, NDSS (2002)

    Google Scholar 

  36. Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive Files for Intrusion Detection. In: Proceedings of the 2nd IEEE Workshop on Information Assurance (WIA), pp. 116–122 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Columbia University, NY, USA

    Sambuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis & Angelos D. Keromytis

Authors
  1. Sambuddho Chakravarty
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Georgios Portokalidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michalis Polychronakis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Angelos D. Keromytis
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Robin Sommer Davide Balzarotti Gregor Maier

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Chakravarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D. (2011). Detecting Traffic Snooping in Tor Using Decoys. In: Sommer, R., Balzarotti, D., Maier, G. (eds) Recent Advances in Intrusion Detection. RAID 2011. Lecture Notes in Computer Science, vol 6961. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23644-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-23644-0_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-23643-3

  • Online ISBN: 978-3-642-23644-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation