Abstract
We show how to exploit side-channels to identify clients without eavesdropping on the communication to the server, and without relying on known, distinguishable traffic patterns. We present different attacks, utilizing different side-channels, for two scenarios: a fully off-path attack detecting TCP connections, and an attack detecting Tor connections by eavesdropping only on the clients.
Our attacks exploit three types of side channels: globally-incrementing IP identifiers, used by some operating systems, e.g., in Windows; packet processing delays, which depend on TCP state; and bogus-congestion events, causing impact on TCP’s throughput (via TCP’s congestion control mechanism). Our attacks can (optionally) also benefit from sequential port allocation, e.g., deployed in Windows and Linux. The attacks are practical - we present results of experiments for all attacks in different network environments and scenarios. We also present countermeasures for these attacks.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Tor Metrics Portal. Network and Usage Graphs (November 2011), http://metrics.torproject.org/graphs.html
Advanced Network Architecture Group. ANA Spoofer Project (2012), http://spoofer.csail.mit.edu/summary.php
Allman, M., Paxson, V., Blanton, E.: TCP Congestion Control. RFC 5681 (Draft Standard) (September 2009)
Baker, F., Savola, P.: Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice) (March 2004)
Bellovin, S.M.: A Technique for Counting Natted Hosts. In: Internet Measurement Workshop, pp. 267–272. ACM (2002)
Chakravarty, S., Stavrou, A., Keromytis, A.D.: Traffic Analysis against Low-Latency Anonymity Networks Using Available Bandwidth Estimation. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 249–267. Springer, Heidelberg (2010), http://dx.doi.org/10.1007/978-3-642-15497-3
Danezis, G.: The Traffic Analysis of Continuous-Time Mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005)
Deering, S., Hinden, R.: Internet Protocol, Version 6 (IPv6) Specification. RFC 2460 (Draft Standard), Updated by RFCs 5095, 5722, 5871, 6437 (December 1998)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176 (2008)
Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The Second-Generation Onion Router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)
Ehrenkranz, T., Li, J.: On the State of IP Spoofing Defense. ACM Transactions on Internet Technology (TOIT) 9(2) (2009)
Evans, N.S., Dingledine, R., Grothoff, C.: A Practical Congestion Attack on Tor Using Long Paths. In: USENIX Security Symposium, pp. 33–50. USENIX Association (2009)
Felten, E.W., Schneider, M.A.: Timing Attacks on Web Privacy. In: Jajodia, S. (ed.) Proceedings of the 7th ACM Conference on Computer and Communications Security, Greece, pp. 25–32. ACM Press (November 2000)
Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing. RFC 2827 (Best Current Practice), Updated by RFC 3704 (May 2000)
Gilad, Y., Herzberg, A.: Fragmentation Considered Vulnerable: Blindly Intercepting and Discarding Fragments. In: Proceedings of USENIX Workshop on Offensive Technologies (August 2011)
Gilad, Y., Herzberg, A.: Spying in the Dark: TCP and Tor Traffic Analysis - Technical Report (April 2012), http://u.cs.biu.ac.il/~herzbea/security/TR/TR12_02
Gont, F.: Security Assessment of the Internet Protocol Version 4. RFC 6274 (Informational) (July 2011)
Hintz, A.: Fingerprinting Websites Using Traffic Analysis. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 171–178. Springer, Heidelberg (2003)
Kadloor, S., Gong, X., Kiyavash, N., Tezcan, T., Borisov, N.: Low-Cost Side Channel Remote Traffic Analysis Attack in Packet Networks. In: ICC, pp. 1–5. IEEE (2010)
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301 (Proposed Standard) (December 2005)
Killalea, T.: Recommended Internet Service Provider Security Services and Procedures. RFC 3013 (Best Current Practice) (November 2000)
Kocher, P.C.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)
Larsen, M., Gont, F.: Recommendations for Transport-Protocol Port Randomization. RFC 6056 (Best Current Practice) (January 2011)
Levine, B.N., Reiter, M.K., Wang, C.-X., Wright, M.: Timing Attacks in Low-Latency Mix Systems. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 251–265. Springer, Heidelberg (2004)
Lyon, G.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (2009), http://nmap.org/book/
Mittal, P., Khurshid, A., Juen, J., Caesar, M., Borisov, N.: Stealthy Traffic Analysis of Low-Latency Anonymous Communication Using Throughput Fingerprinting. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 215–226. ACM (2011)
Murdoch, S.J., Danezis, G.: Low-Cost Traffic Analysis of Tor. In: IEEE Symposium on Security and Privacy, pp. 183–195. IEEE Computer Society (2005)
Panchenko, A., Niessen, L., Zinnen, A., Engel, T.: Website Fingerprinting in Onion Routing Based Anonymization Networks. In: Proceedings of the 10th Annual ACM Workshop on Privacy in the Electronic Society, WPES 2011, pp. 103–114. ACM, New York (2011)
Postel, J.: Transmission Control Protocol. RFC 793 (Standard), Updated by RFCs 1122, 3168, 6093, 6528 (September 1981)
Pries, R., Yu, W., Fu, X., Zhao, W.: A New Replay Attack Against Anonymous Communication Networks. In: IEEE International Conference on Communications (ICC), pp. 1578–1582 (2008)
Sanfilippo, S.: A New TCP Scan Method (1998), http://seclists.org/bugtraq/1998/Dec/79
Sanfilippo, S.: About the IP Header ID (December 1998), http://www.kyuzz.org/antirez/papers/ipid.html
Wikipedia. Usage Share of Operating Systems (2011), http://en.wikipedia.org/wiki/Usage_share_of_operating_systems
Zalewski, M.: Silence on the wire: a field guide to passive reconnaissance and indirect attacks. No Starch Press (2005)
Zander, S., Murdoch, S.J.: An Improved Clock-Skew Measurement Technique for Revealing Hidden Services. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 211–226. USENIX Association (2008)
Zhu, Y., Fu, X., Graham, B., Bettati, R., Zhao, W.: On Flow Correlation Attacks and Countermeasures in Mix Networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 207–225. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gilad, Y., Herzberg, A. (2012). Spying in the Dark: TCP and Tor Traffic Analysis. In: Fischer-Hübner, S., Wright, M. (eds) Privacy Enhancing Technologies. PETS 2012. Lecture Notes in Computer Science, vol 7384. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31680-7_6
Download citation
DOI: https://doi.org/10.1007/978-3-642-31680-7_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31679-1
Online ISBN: 978-3-642-31680-7
eBook Packages: Computer ScienceComputer Science (R0)