Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Privacy Enhancing Technologies Symposium

PETS 2012: Privacy Enhancing Technologies pp 100–119Cite as

Spying in the Dark: TCP and Tor Traffic Analysis

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7384))

Abstract

We show how to exploit side-channels to identify clients without eavesdropping on the communication to the server, and without relying on known, distinguishable traffic patterns. We present different attacks, utilizing different side-channels, for two scenarios: a fully off-path attack detecting TCP connections, and an attack detecting Tor connections by eavesdropping only on the clients.

Our attacks exploit three types of side channels: globally-incrementing IP identifiers, used by some operating systems, e.g., in Windows; packet processing delays, which depend on TCP state; and bogus-congestion events, causing impact on TCP’s throughput (via TCP’s congestion control mechanism). Our attacks can (optionally) also benefit from sequential port allocation, e.g., deployed in Windows and Linux. The attacks are practical - we present results of experiments for all attacks in different network environments and scenarios. We also present countermeasures for these attacks.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Tor Metrics Portal. Network and Usage Graphs (November 2011), http://metrics.torproject.org/graphs.html

  2. Advanced Network Architecture Group. ANA Spoofer Project (2012), http://spoofer.csail.mit.edu/summary.php

  3. Allman, M., Paxson, V., Blanton, E.: TCP Congestion Control. RFC 5681 (Draft Standard) (September 2009)

    Google Scholar 

  4. Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice) (March 2004)

    Google Scholar 

  5. Bellovin, S.M.: A Technique for Counting Natted Hosts. In: Internet Measurement Workshop, pp. 267–272. ACM (2002)

    Google Scholar 

  6. Chakravarty, S., Stavrou, A., Keromytis, A.D.: Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 249–267. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-15497-3

    Chapter  Google Scholar 

  7. Danezis, G.: The Traffic Analysis of Continuous-Time Mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  8. Deering, S., Hinden, R.: Internet Protocol, Version 6 (IPv6) Specification. RFC 2460 (Draft Standard), Updated by RFCs 5095, 5722, 5871, 6437 (December 1998)

    Google Scholar 

  9. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176 (2008)

    Google Scholar 

  10. Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The Second-Generation Onion Router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)

    Google Scholar 

  11. Ehrenkranz, T., Li, J.: On the State of IP Spoofing Defense. ACM Transactions on Internet Technology (TOIT) 9(2) (2009)

    Google Scholar 

  12. Evans, N.S., Dingledine, R., Grothoff, C.: A Practical Congestion Attack on Tor Using Long Paths. In: USENIX Security Symposium, pp. 33–50. USENIX Association (2009)

    Google Scholar 

  13. Felten, E.W., Schneider, M.A.: Timing Attacks on Web Privacy. In: Jajodia, S. (ed.) Proceedings of the 7th ACM Conference on Computer and Communications Security, Greece, pp. 25–32. ACM Press (November 2000)

    Google Scholar 

  14. Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice), Updated by RFC 3704 (May 2000)

    Google Scholar 

  15. Gilad, Y., Herzberg, A.: Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments. In: Proceedings of USENIX Workshop on Offensive Technologies (August 2011)

    Google Scholar 

  16. Gilad, Y., Herzberg, A.: Spying in the Dark: TCP and Tor Traffic Analysis - Technical Report (April 2012), http://u.cs.biu.ac.il/~herzbea/security/TR/TR12_02

  17. Gont, F.: Security Assessment of the Internet Protocol Version 4. RFC 6274 (Informational) (July 2011)

    Google Scholar 

  18. Hintz, A.: Fingerprinting Websites Using Traffic Analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  19. Kadloor, S., Gong, X., Kiyavash, N., Tezcan, T., Borisov, N.: Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks. In: ICC, pp. 1–5. IEEE (2010)

    Google Scholar 

  20. Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard) (December 2005)

    Google Scholar 

  21. Killalea, T.: Recommended Internet Service Provider Security Services and Procedures. RFC 3013 (Best Current Practice) (November 2000)

    Google Scholar 

  22. Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  23. Larsen, M., Gont, F.: Recommendations for Transport-Protocol Port Randomization. RFC 6056 (Best Current Practice) (January 2011)

    Google Scholar 

  24. Levine, B.N., Reiter, M.K., Wang, C.-X., Wright, M.: Timing Attacks in Low-Latency Mix Systems. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 251–265. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  25. Lyon, G.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (2009), http://nmap.org/book/

  26. Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy Traffic Analysis of Low-Latency Anonymous Communication Using Throughput Fingerprinting. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 215–226. ACM (2011)

    Google Scholar 

  27. Murdoch, S.J., Danezis, G.: Low-Cost Traffic Analysis of Tor. In: IEEE Symposium on Security and Privacy, pp. 183–195. IEEE Computer Society (2005)

    Google Scholar 

  28. Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website Fingerprinting in Onion Routing Based Anonymization Networks. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES 2011, pp. 103–114. ACM, New York (2011)

    Chapter  Google Scholar 

  29. Postel, J.: Transmission Control Protocol. RFC 793 (Standard), Updated by RFCs 1122, 3168, 6093, 6528 (September 1981)

    Google Scholar 

  30. Pries, R., Yu, W., Fu, X., Zhao, W.: A New Replay Attack Against Anonymous Communication Networks. In: IEEE International Conference on Communications (ICC), pp. 1578–1582 (2008)

    Google Scholar 

  31. Sanfilippo, S.: A New TCP Scan Method (1998), http://seclists.org/bugtraq/1998/Dec/79

  32. Sanfilippo, S.: About the IP Header ID (December 1998), http://www.kyuzz.org/antirez/papers/ipid.html

  33. Wikipedia. Usage Share of Operating Systems (2011), http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

  34. Zalewski, M.: Silence on the wire: a field guide to passive reconnaissance and indirect attacks. No Starch Press (2005)

    Google Scholar 

  35. Zander, S., Murdoch, S.J.: An Improved Clock-Skew Measurement Technique for Revealing Hidden Services. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 211–226. USENIX Association (2008)

    Google Scholar 

  36. Zhu, Y., Fu, X., Graham, B., Bettati, R., Zhao, W.: On Flow Correlation Attacks and Countermeasures in Mix Networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 207–225. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Bar Ilan University, Israel

    Yossi Gilad & Amir Herzberg

Authors
  1. Yossi Gilad
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Amir Herzberg
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Karlstad University, Universitetsgatan 2, 65188, Karlstad, Sweden

    Simone Fischer-Hübner

  2. Department of Computer Science and Engineering, University of Texas at Arlington, 500 UTA Blvd., 76019, Arlington, TX, USA

    Matthew Wright

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gilad, Y., Herzberg, A. (2012). Spying in the Dark: TCP and Tor Traffic Analysis. In: Fischer-Hübner, S., Wright, M. (eds) Privacy Enhancing Technologies. PETS 2012. Lecture Notes in Computer Science, vol 7384. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31680-7_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31680-7_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31679-1

  • Online ISBN: 978-3-642-31680-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation