Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Honey Onions: Exposing Snooping Tor HSDir Relays
GuevaraNoubir &Amirali Sanatinia{noubir,amirali}@ccs.neu.edu
NortheasternUniversity
1
Motivations
• Previousresearchstudiedthemaliciousnessoftherelays• KnownbadExitnodes• Otherworklookedatthenatureofhiddenservicescontent• NopriorworkontheHiddenServiceDirectories(HSDirs)• IndexinghiddenservicesrequiresmodificationtoTor,whichcanbeanindicatorofsomeeffortandpotentiallymoremaliciousactivities
2
Tor & Hidden Services
• Awidelyusedpracticalanonymityinfrastructure• Providesanonymityforboththeclientsandtheserverthroughhiddenservices• Dependsonthehonestbehaviorofthevolunteeringrelays• Itisknownthatsomerelaysaremisbehaving(BadExitnodes)• SomeExitnodesactivelytrytoperformManintheMiddleAttack(MITM)• NotmuchisknownabouttheHSDirs orHiddenServicesingeneral
3
Hidden Service Directories (HSDir)
Client
Hidden Service
IP
RP
HSDir
(1)
(2)(3)
(4)
(5)
(6)
(7)
4
Ring of Responsible HSDirs
5
Honey Onions (HOnions)
• EachHOnion correspondstoaserver/process• RunonlocalIPaddress(HiddenService)• AccessibleonlythroughTorandnotsharedanywhere• Threeschedules• Daily• Weekly• Monthly
• Logtherequestsforfurtherinvestigation
6
HOnions Architecture
1. Generate honions
hoi
hoj
2. Place honions on HSDirs3. Build bipartite graph
On visit, mark potential HSDirs
hoj
di
di+2
di+1
di
di+1
di+2
On visit, add to bipartite graph
7
Set Cover Problem
• !"# = &': )*++,-./0123ℎ!"#2+5-.6
• !7 = ℎ*8:!792*93ℎ.31.0:2023,&
• ; = !"# ∪ !7
• = = ℎ*8, &8 ∈ !7×!"# ℎ*81.0A-.Bedon&'andwasvisited}
• ": ∀ ℎ*8, &' ∈ =, ∃&′' ∈ " ∧ ℎ*8, &′' ∈ =R⊆TRUVWXY'Z
• ThesetcoverisanNP-completeproblem• Canbecalculatedusingapproximationalgorithms• SetcovergivesthelowerboundonthenumberofsnoopingHSDirs
8
Heuristic Approach
• Input:G(V,E): Bipartitie graphofHOnions toHSDirs• Output:S:Setexplainingvisits
• " ⟵ ∅
• while; ∩ !7 ≠ ∅_o• Pick& ∈ ; ∩ !"#: 123ℎℎ26ℎ,03 degree• ; ← ;\ &.9&230!792*99,26ℎb*+0
• end
9
Integer Linear Programming (ILP)
• min (ef, … , eTRU)∑ e8|TRU|8jf
subjectto∀ℎ*' ∈ !7 ∑ e8 ≥ 1�∀8: nop,qr ∈s
• ProvidesalowerboundonthenumberofsnoopingHSDirs toexplainthevisits
10
Connectivity Graph
11
Snooping Behavior
• Widevarietyofbehavior• Automatedvsmanualprobing• Aggressive,periodicprobing• Attemptstofindvulnerabilities• SQLInjection• XSS• Pathtraversal• PHPEasterEggs• TargetingDrupalandRubyonRails
12
Snoopers’ Most Likely Geolocation
13
Snoopers’ Identity
• Hardtoidentifytherealentitybehindtherelays• MorethanhalfoftheHSDirs arehostedoncloudplatform• Thegeolocationscorrespondtothelocationofthehostingplatformandnotnecessarilytheentityrunningthem• Numberofcloudplatformsarelocatedincountrieswithstrongerprivacyprotectionforcostumers• Somecloudplatformacceptpaymentsoverbitcoin,makingitevenhardertoidentifytherealactors
14
Conclusion
• HoneyOnions(HOnions)isaframeworktodetectsnoopingHSDirs• Providesalowerboundonsuchrelays• Torreliesonthehonestbehaviorofthevolunteeringrelays• Thedetection,identificationandmitigationofmisbehavingrelayshelpstoimprovetheprivacyandsecurityofTor• ThisworkisanadditiontothepreviousbodyofworkfocusingondetectionofmisbehavingTorrelays
15