snapopendns

ShiningLightinDarkPlaces:UnderstandingtheTorNetworkDamonMcCoy1,KevinBauer1,DirkGrunwald1,TadayoshiKohno2,andDouglasSicker11DepartmentofComputerScience,UniversityofColorado,Boulder,CO80309-0430,USA{mccoyd,bauerk,grunwald,sicker}@colorado.
edu2DepartmentofComputerScienceandEngineering,UniversityofWashington,Seattle,WA98195-2969,USAyoshi@cs.
washington.
eduAbstract.
Todate,therehasyettobeastudythatcharacterizestheusageofarealdeployedanonymityservice.
WepresentobservationsandanalysisobtainedbyparticipatingintheTornetwork.
OurprimarygoalsaretobetterunderstandTorasitisdeployedandthroughthisunder-standing,proposeimprovements.
Inparticular,weareinterestedinan-sweringthefollowingquestions:(1)HowisTorbeingused(2)HowisTorbeingmis-used(3)WhoisusingTorTosampletheresults,weshowthatwebtracmakesupthema-jorityoftheconnectionsandbandwidth,butnon-interactiveprotocolsconsumeadisproportionatelylargeamountofbandwidthwhencom-paredtointeractiveprotocols.
WeprovideasurveyofhowTorisbeingmisused,bothbyclientsandbyTorrouteroperators.
Inparticular,wedevelopamethodfordetectingexitrouterlogging(incertaincases).
Finally,wepresentevidencethatTorisusedthroughouttheworld,butrouterparticipationislimitedtoonlyafewcountries.
1IntroductionTorisapopularprivacyenhancingsystemthatisdesignedtoprotectthepri-vacyofInternetusersfromtracanalysisattackslaunchedbyanon-globaladversary[1].
BecauseTorprovidesananonymityserviceontopofTCPwhilemaintainingrelativelylowlatencyandhighthroughput,itisidealforinterac-tiveapplicationssuchaswebbrowsing,lesharing,andinstantmessaging.
Sinceitsinitialdevelopment,researchershaveanalyzedthesystem'sperformance[2]andsecurityproperties[3,4,5,6,7].
However,therehasyettobeastudyaimedatunderstandinghowapopulardeployedprivacyenhancingsystemisusedinpractice.
Inthiswork,weutilizeobservationsmadebyrunningaTorroutertoanswerthefollowingquestions:HowisTorbeingused.
WeanalyzeapplicationlayerheaderdatarelayedthroughourroutertodeterminetheprotocoldistributionintheanonymousN.
BorisovandI.
Goldberg(Eds.
):PETS2008,LNCS5134,pp.
63–76,2008.
64D.
McCoyetal.
network.
OurresultsshowthetypesofapplicationscurrentlyusedoverTor,asubstantialamountofwhichisnon-interactivetrac.
Wediscoverthatwebtraf-cmakesupthevastmajorityoftheconnectionsthroughTor,butBitTorrenttracconsumesadisproportionatelylargeamountofthenetwork'sbandwidth.
Perhapssurprisingly,protocolsthattransmitpasswordsinplain-textarefairlycommon,andweproposesimpletechniquesthatattempttoprotectusersfromunknowinglydisclosingsuchsensitiveinformationoverTor.
HowisTorbeingmis-used.
ToexplorehowToriscurrentlybeingmisused,weexaminebothmaliciousrouterandclientbehaviors.
SinceinsecureprotocolsarecommoninTor,thereisapotentialforamaliciousroutertogatherpasswordsbyloggingexittrac.
Tounderstandthisthreat,wedevelopamethodtodetectwhenexitroutersareloggingtrac,undercertainconditions.
Usingthismethod,wedid,infact,catchanexitroutercapturingPOP3trac(apopularplain-texte-mailprotocol)forthepurposeofcompromisingaccounts.
RunningarouterwiththedefaultexitpolicyprovidesinsightintothevarietyofmaliciousactivitiesthataretunneledtroughTor.
Forinstance,hackingat-tempts,allegationsofcopyrightinfringement,andbotnetworkcontrolchannelsarefairlycommonformsofmalicioustracthatcanbeobservedthroughTor.
WhoisusingTor.
InordertounderstandwhousesTor,wepresentthegeopoliticaldistributionoftheclientsthatwereobserved.
Germany,China,andtheUnitedStatesappeartouseTorthemost,butclientsfrom126dierentcountrieswereobserved,whichdemonstratesTor'sglobalappeal.
Inaddition,weprovideageopoliticalbreakdownofwhoparticipatesinTorasarouter.
MostTorroutersarefromGermanyandtheUnitedStates,butGermanyalonecontributesnearlyhalfofthenetwork'stotalbandwidth.
ThisindicatesthatimplementinglocationdiversityinTor'sroutingmechanismisnotpossiblewiththecurrentdistributionofrouterresources.
Outline.
Theremainderofthispaperisorganizedasfollows:InSection2,weprovideabriefoverviewofTorandSection3describesourdatacollec-tionmethodology.
InSection4,weexplorehowTorisused,andpresenttheobservedexittracprotocoldistribution.
InSection5,wediscusshowToriscommonlyabusedbyrouters,anddescribeanewtechniquefordetectingroutersthatmaliciouslylogexittrac.
Section6describesourrst-handexperienceswithmisbehavingclients.
Section7givesthegeopoliticaldistributionsofclientsandrouters.
Finally,concludingremarksaregiveninSection8.
2TorNetworkTor'ssystemarchitectureattemptstoprovideahighdegreeofanonymityandstrictperformancestandardssimultaneously[1].
Atpresent,TorprovidesananonymitylayerforTCPbycarefullyconstructingathree-hoppath(byde-fault),orcircuit,throughthenetworkofTorroutersusingalayeredencryptionShiningLightinDarkPlaces:UnderstandingtheTorNetwork65strategysimilartoonionrouting[8].
Routinginformationisdistributedbyasetofauthoritativedirectoryservers.
Ingeneral,allofaparticularclient'sTCPconnectionsaretunneledthroughasinglecircuit,whichrotatesovertime.
Therearetypicallythreehopsinacircuit;therstnodeinthecircuitisknownastheentranceTorrouter,themiddlenodeiscalledthemiddleTorrouter,andthenalhopinthecircuitisreferredtoastheexitTorrouter.
ItisimportanttonotethatonlytheentranceroutercandirectlyobservetheoriginatorofaparticularrequestthroughtheTornetwork.
Also,onlytheexitnodecandirectlyexaminethedecryptedpayloadandlearnthenaldestinationserver.
ItisinfeasibleforasingleTorroutertoinfertheidentitiesofboththeinitiatingclientandthedestinationserver.
Toachieveitslow-latencyobjective,Tordoesnotexplicitlyre-orderordelaypacketswithinthenetwork.
3DataCollectionMethodologyTobetterunderstandrealworldTorusage,wesetupaTorrouterona1Gb/snetworklink.
1ThisrouterjoinedthecurrentlydeployednetworkduringDe-cember2007andJanuary2008.
ThiscongurationallowedustorecordalargeamountofTortracinshortperiodsoftime.
Whilerunning,ournodewasconsistentlyamongthetop5%ofroutersintermsofbandwidthoftheroughly1,500routersaggedasRunningbythedirectoryserversatanysinglepointintime.
Weunderstandthatthereareseriousprivacyconcernsthatmustbeaddressedwhencollectingstatisticsfromananonymousnetwork[9].
TorisdesignedtoresisttracanalysisfromanysingleTorrouter[1];thus,theinformationwelog—whichincludesatmost20bytesofapplication-leveldata—cannotbeusedtolinkasenderwithareceiver,inmostcases.
Weconsideredtheprivacyimplicationscarefullywhenchoosingwhatinformationtologandwhatwastoosensitivetostore.
Intheend,wechosetologinformationfromtwosources:First,wealteredtheTorroutertologinformationaboutcircuitsthatwereestablishedthoughournodeandcellsroutedthroughournode.
Second,weloggedonlyenoughdatatocaptureuptotheapplication-levelprotocolheadersfromtheexittracthatwasrelayedthroughournode.
Inordertomaximizethenumberofentryandexitconnectionsthatourrouterobserved,itwasnecessarytoruntheroutertwice,withtwodistinctexitpoli-cies:2(1)Runningwithanopenexitpolicy(thedefaultexitpolicy3)enabledour1OurrouterusedTorsoftwareversion0.
1.
2.
18.
2DuetotherelativelylimitedexitbandwidththatexistswithinTor,whenweranthedefaultexitpolicy,ournodewaschosenastheexitroutermostfrequentlyonestablishedcircuits.
Asaresult,inordertoobservealargenumberofclients,itbecamenecessarytocollectdataasecondtimewithacompletelyrestrictedexitpolicysothatwewouldnotbeanexitrouter.
3ThedefaultexitpolicyblocksportscommonlyassociatedwithSMTP,peer-to-peerlesharingprotocols,andportswithahighsecurityrisk.
66D.
McCoyetal.
routertoobservenumerousexitconnections,and(2)Prohibitingallexittracallowedtheroutertoobservealargenumberofclients.
Entrance/MiddleTracLogging.
TocollectdataregardingTorclients,weranourrouterwithacompletelyrestrictedexitpolicy(allexittracwasblocked).
WeranourTorrouterinthiscongurationfor15daysfromJanuary15–30,2008.
Therouterwascompiledwithminormodicationstosupportaddi-tionallogging.
Specically,foreverycellroutedthroughournode,thetimethatitwasreceived,theprevioushop'sIPaddressandTCPportnumber,thenexthop'sIPaddressandTCPportnumber,andthecircuitidentierassociatedwiththecellislogged.
ExitTracLogging.
TocollectdataregardingtracexitingtheTornetwork,werantheTorrouterforfourdaysfromDecember15–19,2007withthedefaultexitpolicy.
Forroutersthatallowexittrac,thedefaultpolicyisthemostcommon.
Duringthistime,ourrouterrelayedapproximately709GBofTCPtracexitingtheTornetwork.
Inordertogatherstatisticsabouttracleavingthenetwork,werantcpdumponthesamephysicalmachineasourTorrouter.
Tcpdumpwasconguredtocaptureonlytherst150bytesofapacketusingthe"snaplength"option(-s).
Thislimitwasselectedsothatwecouldcaptureuptotheapplication-levelheadersforprotocolidenticationpurposes.
Atmost,wecaptured96bytesofapplicationheaderdata,sinceanEthernetframeis14byteslong,anIPheaderis20byteslong,andaTCPheaderwithnooptionsis20byteslong.
Weusedethereal[10],anothertoolforprotocolanalysisandstatefulpacketinspection,inordertoidentifyapplication-layerprotocols.
Asapost-processingstep,welteredoutpacketswithasourceordestinationIPaddressofanyactiverouterpublishedduringourcollectionperiod.
Thisleftonlyexittrac.
4ProtocolDistributionAspartofthisstudy,weobserveandanalyzetheapplication-levelprotocolsthatexitourTornode.
WeshowinTable1thatinteractiveprotocolslikeHTTPmakeupthemajorityofthetrac,butnon-interactivetracconsumesadispropor-tionateamountofthenetwork'sbandwidth.
Finally,thedataindicatesthatinsecureprotocols,suchasthosethattransmitlogincredentialsinplain-text,areusedoverTor.
4.
1Interactivevs.
Non-interactiveWebTracWhileHTTPtraccomprisesanoverwhelmingmajorityoftheconnectionsobserved,itisunclearwhetherthistracisinteractivewebbrowsingornon-interactivedownloading.
Inordertodeterminehowmuchofthewebtracisnon-interactive,wecountedthenumberofHTTPconnectionsthattransferredover1MBofdata.
Only3.
5%oftheconnectionsobservedwerebulktransfers.
Thevastmajorityofwebtracisinteractive.
ShiningLightinDarkPlaces:UnderstandingtheTorNetwork67Table1.
ExittracprotocoldistributionbynumberofTCPconnections,size,andnumberofuniquedestinationhostsProtocolConnectionsBytesDestinationsHTTP12,160,437(92.
45%)411GB(57.
97%)173,701(46.
01%)SSL534,666(4.
06%)11GB(1.
55%)7,247(1.
91%)BitTorrent438,395(3.
33%)285GB(40.
20%)194,675(51.
58%)InstantMessaging10,506(0.
08%)735MB(0.
10%)880(0.
23%)E-Mail7,611(0.
06%)291MB(0.
04%)389(0.
10%)FTP1,338(0.
01%)792MB(0.
11%)395(0.
10%)Telnet1,045(0.
01%)110MB(0.
02%)162(0.
04%)Total13,154,115709GB377,4494.
2IsNon-interactiveTracHurtingPerformanceThedesignersoftheTornetworkhaveplacedagreatdealofemphasisonachiev-inglowlatencyandreasonablethroughputinordertoallowinteractiveappli-cations,suchaswebbrowsing,totakeplacewithinthenetwork[1].
However,themostsignicantdierencebetweenviewingtheprotocolbreakdownmea-suredbythenumberofbytesincontrasttothenumberofTCPconnectionsisthatwhileHTTPaccountedforanoverwhelmingmajorityofTCPconnections,theBitTorrentprotocolusesadisproportionatelyhighamountofbandwidth.
4Thisisnotshocking,sinceBitTorrentisapeer-to-peer(P2P)protocolusedtodownloadlargeles.
SincethenumberofTCPconnectionsshowsthatthemajorityofconnectionsareHTTPrequests,onemightbeledtobelievethatmostclientsareusingthenetworkasananonymousHTTPproxy.
However,thefewclientsthatdousethenetworkforP2PapplicationssuchasBitTorrentconsumeasignicantamountofbandwidth.
ThedesignersofthenetworkconsiderP2Ptracharmful,notforethicalorlegalreasons,butsimplybecauseitmakesthenetworklessusefultothoseforwhomitwasdesigned.
InanattempttopreventtheuseofP2Pprogramswithinthenetwork,thedefaultexitpolicyblocksthestandardlesharingTCPports.
Butclearly,ourobservationsshowthatport-basedblockingstrategiesareeasytoevade,astheseprotocolscanberunonnon-standardports.
4.
3InsecureProtocolsAnothersurprisingobservationfromtheprotocolstatisticsisthatinsecurepro-tocols,orthosethattransmitlogincredentialsinplain-text,arefairlycommon.
Whilecomprisingarelativelylowpercentageofthetotalexittracobserved,protocolssuchasPOP,IMAP,Telnet,andFTPareparticularlydangerousdue4Recallthatourrouter'sdefaultexitpolicydoesnotfavoranyparticulartypeoftrac.
Sothelikelihoodofobservinganyparticularprotocolisproportionaltotheusageofthatprotocolwithinthenetworkandthenumberofothernodessupportingthedefaultorasimilarexitpolicy.
68D.
McCoyetal.
totheeaseatwhichaneavesdroppingexitroutercancaptureidentifyingin-formation(i.
e.
,usernamesandpasswords).
Forexample,duringourobserva-tions,wesaw389uniquee-mailservers,whichindicatesthattherewereatleast389clientsusinginsecuree-mailprotocols.
Infact,only7,247totaldestinationserversprovidingSSL/TLSwereobserved.
Theabilitytoobserveasignicantnumberofusernamesandpasswordsispotentiallydevastating,butitgetsworse:TormultiplexesseveralTCPconnec-tionsoverthesamecircuit.
Havingobservedidentifyinginformation,amaliciousexitroutercantracealltraconthesamecircuitbacktotheclientwhoseiden-tifyinginformationhadbeenobservedonthatcircuit.
Forinstance,supposethataclientinitiatesbothanSSLconnectionandanAIMconnectionatthesametime.
Sincebothconnectionsusethesamecircuit(andconsequentlyexitatthesamerouter),theSSLconnectioncanbeeasilyassociatedwiththeclient'siden-tityleakedbytheAIMprotocol.
Thus,tunnelinginsecureprotocolsoverTorpresentsasignicantrisktotheinitiatingclient'sanonymity.
Toaddressthisthreat,areasonablecountermeasureisforTortoexplicitlyblockprotocolssuchasPOP,IMAP,Telnet,andFTP5usingasimpleport-basedblockingstrategyattheclient'slocalsocksproxy.
6Inresponsetotheseobservations,Tornowsupportstwocongurationoptionsto(1)warntheuseraboutthedangersofusingTelnet,POP2/3,andIMAPoverTor,and(2)blocktheseinsecureprotocolsusingaport-basedstrategy[11].
However,thissametypeofinformationleakageiscertainlypossibleoverHTTP,forinstance,soadditionaleortmustalsobefocusedonenhancingTor'sHTTPproxytomitigatetheamountofsensitiveinformationthatcanbeexchangedoverinsecureHTTP.
Forinstance,arule-basedsystemcouldbedesignedtoltercommonwebsiteswithinsecurelogins.
Finally,protocolsthatcommonlyleakidentifyinginformationshouldnotbemultiplexedoverthesamecircuitwithothernon-identifyingtrac.
Forexam-ple,HTTPandinstantmessagingprotocolsshoulduseseparateanddedicatedcircuitssothatanyidentifyinginformationdisclosedthroughtheseprotocolsisnotlinkedwithothercircuitstransportingmoresecureprotocols.
5MaliciousRouterBehaviorGiventherelativelylargeamountofinsecuretracthatcanbeobservedthroughTor,thereisgreatincentiveformaliciouspartiestoattempttologsensitiveinformationasitexitsthenetwork.
Infact,othershaveusedTortocollectalargenumberofusernamesandpasswords,someofwhichprovidedaccesstothecomputersystemsofembassiesandlargecorporations[12].
5AnonymousFTPmayaccountforasignicantportionofFTPexittracanddoesnotrevealanyinformationabouttheinitiatingclient.
Therefore,blockingFTPmaybeunnecessary.
6Port-basedblockingiseasytoevade,butitwouldprotectnaiveusersfrommistakenlydisclosingtheirsensitiveinformation.
ShiningLightinDarkPlaces:UnderstandingtheTorNetwork69Inadditiontocapturingsensitiveexittrac,aTorroutercanmodifythedecryptedcontentsofamessageenteringorleavingthenetwork.
Indeed,inthepast,routershavebeencaughtmodifyingtrac(i.
e.
,injectingadvertisementsorperformingman-in-the-middleattacks)intransit,andtechniqueshavebeendevelopedtodetectthisbehavior[13].
Wepresentasimplemethodfordetectingexitrouterloggingundercertainconditions.
Wesuspect—andconrmthissuspicionusingourloggingdetectiontechnique—thatinsecureprotocolsaretargetedforthespecicpurposeofcapturingusernamesandpasswords.
5.
1DetectionMethodologyAtahighlevel,themaliciousexitrouterloggingdetectiontechniquereliesupontheassumptionthattheexitrouterisrunningapacketsnieronitslocalnet-work.
SincepacketsnierssuchastcpdumpareoftenconguredtoperformreverseDNSqueriesontheIPaddressesthattheyobserve,ifonecontrolstheauthoritativeDNSserverforaspecicsetofIPaddresses,itispossibletotracereverseDNSqueriesbacktotheexitnodethatissuedthequery.
TorClientMaliciousExitRouterTorNetworkLookup1.
1.
1.
1CircuitSYN1.
1.
1.
1AuthoritativeDNSServerFig.
1.
MaliciousexitrouterloggingdetectiontechniqueMorespecically,thedetectionmethodworksasfollows:1.
Werunanauthoritativedomainnameserver(DNS)thatmapsdomainnamestoavacantblockofIPaddressesthatwecontrol.
2.
UsingaTorclient,acircuitisestablishedusingeachindividualexitrouter.
3.
Havingestablishedacircuit,aSYNpingissenttooneoftheIPaddressesforwhichweprovidedomainnameresolution.
Thisprocedure(showninFigure1)isrepeatedforeachexitrouter.
SincetheIPaddressdoesnotactuallyexist,thenitisveryunlikelythattherewillbeanytransientreverseDNSqueries.
However,ifoneoftheexitroutersweusedisloggingthistrac,theymayperformareverseDNSlook-upoftheIPaddressthatwascontacted.
Inparticular,wemadeaneorttodirecttheSYNpingatportswhereinsecureprotocolstypicallyrun(ports21,23,110,and143).
70D.
McCoyetal.
5.
2ResultsUsingtheproceduredescribedabove,overthecourseofonlyoneday,wefoundoneexitrouterthatissuedareverseDNSqueryimmediatelyaftertransportingourclient'strac.
Uponfurtherinspection,bySYNpingscanningalllowports(1-1024),wefoundthatonlyport110triggeredthereverseDNSquery.
Thus,thisrouteronlyloggedtraconthisport,whichisthedefaultportforPOP3,aplain-texte-mailprotocol.
Wesuspectthatthisportwastargetedforthespecicpurposeofcapturingusernamesandpasswords.
Furtherimprovementsonthisloggingdetectioncouldbemadebyusingahoneypotapproachandsendinguniqueusernameandpasswordpairsthrougheachexitrouter.
Thehoneypotcoulddetectanyloginattemptsthatmayoccur.
Thismethodwouldndthemostmaliciousvarietyofexitrouterlogging.
Infact,upondetectingtheloggingexitrouter(usingthemethoddescribedabove),wealsousedthishoneypottechniqueandobservedfailedloginattemptsfromthemaliciousIPaddressshortlyafterobservingthelogging.
Theseresultsreinforcetheneedtomitigatetheuseofprotocolsthatprovidelogincredentialsinplain-textoverTor.
Giventheeaseatwhichinsecureproto-colscanbecapturedandtherelativeeaseatwhichtheycouldbeblocked,itisareasonablesolutiontoblocktheirdefaultports.
5.
3DiscussionThisapproachtodetectingexitrouterlogginghaslimitations.
First,itcanonlytracethereverseDNSquerybacktotheexitrouter'sDNSserver,nottotherouteritself.
Tocomplicatemattersmore,thereexistfreedomainnameresolu-tionservices(suchasOpenDNS[14])thatprovidesomewhatanonymousnameresolutionforanyhostontheInternet.
Ifoneassumesthattheexitrouterislog-gingandperformingreverseDNSqueriesinreal-time,thenitiseasytocorrelatereverseDNSquerieswithexitroutersusingtiminginformation.
IfreverseDNSisnotperformedinreal-time,thenmoresophisticatedtech-niquesforndingthemaliciousexitrouterarerequired.
Forinstance,ifonecontrolsthedomainnameresolutionforseveralIPaddresses,thenitispossibletoembedauniquepatternintheorderoftheSYNpingstodierentIPsthrougheachexitrouter.
Thisorderwillbepreservedintheexitrouter'squeriesandcanbeusedtodeterminetheexitrouterthatloggedthetrac.
Herewecanleveragemanyofthesameprinciplesasexploredin[15,16].
Thedetectionmethodpresentedmakesthekeyassumptionthattheloggingprocesswilltriggerreverse-DNSqueries.
However,thisisnotalwaysthecase.
Forexample,exitroutersthattransporttracathighbandwidthcannotfeasiblyperformreverseDNSqueriesinreal-time.
Also,thistechniquecanbeevadedsimplybynotperformingreverseDNSwhenlogging.
6MisbehavingClientsWhileTorprovidesaninvaluableservicetoprotectingonlineprivacy,overthecourseofoperatingaTorrouterwiththedefaultexitpolicy,welearnedaboutShiningLightinDarkPlaces:UnderstandingtheTorNetwork71awidevarietyofmaliciousclientbehavior.
SinceweareforwardingtraconbehalfofTorusers,ourrouter'sIPaddressappearstobethesourceofsometimesmalicioustrac.
ThelargeamountofexitbandwidththatweprovidedcausedustoreceivealargenumberofcomplaintsrangingfromDMCA§512noticesrelatedtoallegationsofcopyrightinfringement,reportedhackingattempts,IRCbotnetworkcontrols,andwebpagedefacement.
However,anenormousamountofmaliciousclientactivitywaslikelyunreported.
Asaconsequenceofthismaliciousclientbehavior,itbecomesmorediculttooperateexitrouters.
Forinstance,ourinstitution'sadministrationrequestedthatwestoprunningournodeshortlyafterthedataforthispaperwascollected.
SimilaraccountsofadministrativeandlawenforcementattemptstopreventTorusearebecomingmorecommonasTorbecomesmorepopulartothemasses[17].
TheElectronicFrontierFoundation(EFF),agroupthatworkstoprotectonlinerights,hasprovidedtemplateletters[18]andoeredtoprovideassistance[19]toTorrouteroperatorsthathavereceivedDMCAtake-downnotices.
Onesolutiontoourproblemscouldhavebeentochangeourrouter'sexitpolicytorejectallexittrac,orspecicports(suchasport80)thatgener-atealargeportionofthecomplaints.
However,thisisnotpractical,sinceTorrequiresacertainamountofexitbandwidthtofunctioncorrectly.
Anotherso-lutionistoprovideamechanismforanonymousIPaddressblocking,suchasNymble[20].
Ourrst-handobservationswithmisbehavingclientsreinforcestheneedtofurtherstudyanonymousIPaddressblockingmechanisms.
7GeopoliticalClientandRouterDistributionsAspartofthisstudy,weinvestigatewhereTorclientsandroutersarelocatedgeo-politically.
Recallthataclient'sIPaddressisvisibletoarouterwhenthatrouterisusedastheentrancenodeontheclient'scircuitthroughtheTornetwork.
InthecurrentTorimplementation,onlyparticularrouters,calledentryguards,maybeusedforthersthopofaclient'scircuit.
Arouterislabeledasanentryguardbytheauthoritativedirectoryservers.
AllTorrouterIPaddressesaremaintainedbythedirectoryservers,andwekeeptrackoftherouterIPaddressesbysimplypollingthedirectoryserversperiodically.
InordertomapanIPaddresstoitscorrespondingcountryoforigin,wequerytheauthoritativebodiesresponsibleforassigningIPblockstoindividualcountries[21,22,23,24,25].
InordertodeterminethegeopoliticaldistributionofTorusagethroughouttheworld,weaggregateIPaddressesbycountry,andpresenttheclientandrouterlocationdistributionsobservedduringtheJanuary2008datacollectionperiod.
7.
1ObservationsInthissection,wepresentourobservationsregardingtheclientandrouterlo-cationdistributions.
72D.
McCoyetal.
Table2.
Geopoliticalclientdistributions,routerdistributions,andtheratioofTorusersrelativetoInternetusersClientDistributionRouterDistributionCountryTotalCountryTotalGermany2,304Germany374China988UnitedStates326UnitedStates864France69Italy254China40Turkey221Italy36UnitedKingdom170Netherlands35Japan155Sweden35France150Finland25Russia146Austria24Brazil134UnitedKingdom24RelativeTorUsageCountryRatioGermany7.
73Turkey2.
47Italy1.
37Russia0.
89China0.
84France0.
77UnitedKingdom0.
75UnitedStates0.
62Brazil0.
56Japan0.
32ClientDistribution.
DuringaonedayperiodwhenourTorrouterwasmarkedasanentryguardbytheauthoritativedirectoryservers,itobserved7,571uniqueclients7AsdepictedinTable2,thevastmajorityofclientsoriginatedinGer-many,withChinaandtheUnitedStatesprovidingthenextlargestnumberofclients.
PerhapsthemostinterestingobservationabouttheclientdistributionisthatTorhasaglobaluserbase.
Whilemostoftheclientsarefromthreecountries,duringthecourseoftheentire15dayobservationperiod,clientswereobservedfrom126countriesaroundtheworld,manyofwhichhavewell-knownpoliciesofInternetcensorship.
Toputtheserawgeopoliticalclientdistributionsintoperspective,Table2in-cludesaratioofthepercentageofToruserstothepercentageofInternetusersbycountry,usingdataonthedistributionofbroadbandInternetusersbycoun-try[26].
ThesepercentageswerecomputedbydividingthetotalnumberofTorclientslocatedineachcountrybythetotalnumberofTorclientsweobserved,whichprovidesthepercentageofToruserslocatedineachcountry.
Forexample,therelativeTorusageforGermanyiscomputedasfollows:ThepercentageofthetotalInternetuserswhoarefromGermanyis3.
9%andaccordingtoourclientobservations,Germanymakesup2,304ofthe7,571totalTorclients,whichis30.
4%.
Thus,theratioofToruserstoInternetusersinGermanyis7.
73.
TheseratiosshowthatTorisdisproportionatelypopularinGermany,Turkey,andItalywithrespectthethenumberofbroadbandInternetuserslocatedinthesecountries.
ItisunclearwhythereissuchalargescaleadoptionofTorinthesespeciccountries,relativetoTorusageinothercountries.
Aninvestigationofthepossibletechnological,sociological,andpoliticalfactorsinthesecountriesthatarecausingthismightbeanenlighteningareaofresearch.
Examiningthenumberofclientsthatutilizedourrouterastheirentryrouterwhenitwasnotmarkedasanentryguardprovidesinsightintotheapproximate7WeassumethateachuniqueIPaddressisauniqueclient.
However,dynamicIPaddressesornetworkaddresstranslators(NATs)maybeusedinsomeplaces.
ShiningLightinDarkPlaces:UnderstandingtheTorNetwork73numberofclientsthatareusingasignicantlyoldversionoftheTorclientsoftware.
Specically,thisindicatesthattheseclientsareusingaversionbeforeentryguardswereintroducedinTorversion0.
1.
1.
20(May2006).
Overfourdays,only206clientswereobservedtobeusingTorsoftwarethatisolderthanthisversion.
Incidentally,entryguardswereaddedtopreventroutersfromprolingclients,andindeedtherelianceonentryguardspreventedusfromprolingalargenum-berofclientsbeyondwhatwedescribeabove.
Beforeentryguardswerewidelyadopted,astrongdiurnalusagepatternhadbeenobserved[27].
Sinceentryguardsarenowwidelyadopted,utilizingmultipleentryguardperspectivesgivesalargersnapshotoftheclients'locationsandusagepatterns.
Weinformallycom-paredourgeopoliticalclientdistributiontothatwhichwasobservedfromotherhighbandwidthentryguardrouters.
Thedistributionwasconsistentacrosseachentryguard.
However,weattemptedtoobservethecurrentclientusagepatterns,butthisrequiredamoreglobalperspectivethanwewereabletoobtain.
TorRouterDistribution.
Duringourdatacollection,wemonitoredtheau-thoritativedirectoryserverstodeterminethetotalnumberandgeopoliticaldis-tributionofTorrouters.
Overthecourseof7days,wetookhourlysnapshotsoftheauthoritativedirectoryservers,notingeachrouter'sIPaddressandband-widthadvertisements.
Duringthistime,onaverage1,188Torrouterswereob-servedineachsnapshot.
AsshowninTable2,GermanyandtheUnitedStatestogethercontributenearly59%oftherunningrouters.
However,intermsoftotalbandwidth,asdepictedinFigure2,Germanyprovides45%ofthebandwidthandtheUnitedStatesonlyprovides23%ofthebandwidth.
Fig.
2.
DistributionofTorrouterband-widtharoundtheworldIthasbeensuggestedthatlocationdiversityisadesirablecharacteristicofaprivacyenhancingsystem[28].
However,giventhecurrentbandwidthdistribution,locationdiversitywhilemaintainingadequateloadbalancingoftracisdiculttoguarantee.
ItiscurrentlypossibletobuildcircuitswithatleastonerouterfromGermanyandtheremainingroutersfromothercountries.
However,ifalocation-awareroutingmechanismmandatedthatauser'stracshouldexitinaspeciccountry,suchastheNetherlands,thenitisnecessarytoensurethatthereissucientexitbandwidthinthatcountry.
Incentiveprogramstoencouragevol-unteerstorunroutersinunder-representedcountriesshouldbeinvestigated.
Inaddition,mitigatingmaliciousclientbehavior(asnotedinSection6)canconsequentlyattractmoreTorrouters.
74D.
McCoyetal.
12004006008001000120014000.
0000.
0100.
0200.
030RoutersrankedbypopularityPDF(a)PDFofallrouters.
1204060801000.
0000.
0100.
0200.
030RoutersrankedbypopularityPDF(b)PDFofthetop100routers.
Fig.
3.
PDFsofTor'stracdistributionoveritsroutersduringaonehoursnapshot7.
2ModelingRouterUtilizationUnderstandingthedistributionwithwhichdierentroutersareutilizedoncir-cuitscanprovidevaluableinsightsregardingthesystem'svulnerabilitytotracanalysis.
Inaddition,aprobabilitydistributioncanbeusedtobuildmorereal-isticanalyticalmodelsandsimulations.
Bycountingthenumberoftimesthateachrouterappearsonacircuitwithourrouter,weprovideprobabilitydensityfunctions(PDFs)tomodeltheprobabilityofeachrouterforwardingaparticularpacket(showninFigure3).
InaonehoursnapshotduringtheJanuarydatacollectionperiod,thetop2%ofallrouterstransportedabout50%oftracfromtheperspectiveofourrouter.
Withinthistop2%,14routersarehostedinGermany,6arehostedintheUnitedStates,4areinFrance,andSwitzerland,theNetherlands,andFinlandeachhostasinglerouter.
ThesenumbersareconsistentwiththebandwidthdistributionsgiveninFigure2,andfurtherhighlightthedicultyofprovidingstrictlocationdiversityinTor'sroutingmechanism.
ThePDFcurvedropssharply;thebottom75%oftherouterstogethertransportedabout2%ofthetotaltrac.
Themosttracthatanysingleroutertransportedwas4.
1%ofthetotaltrac.
ThisindicatesthatthevastmajorityofTortracishandledbyaverysmallsetofrouters.
Consequently,ifanadversaryisabletocontrolasetofthehighestperformingrouters,thenitsabilitytoconducttracanalysisincreasesdramatically.
Finally,thePDFscalculatedfromourrouter'sobservationsareverysimilartotherouterdistributionbasedonrouters'bandwidthadvertisements,asreportedbyTor'sdirectoryservers.
8ConclusionThisstudyisaimedatunderstandingTorusage.
Inparticular,weprovidedobservationsthathelpunderstandhowTorisbeingused,howTorisbeingShiningLightinDarkPlaces:UnderstandingtheTorNetwork75mis-used,andwhoparticipatesinthenetworkasclientsandrouters.
Throughourobservations,wehavemadeseveralsuggestionstoimproveTor'scurrentdesignandimplementation.
First,inresponsetothefairlylargeamountofin-secureprotocoltrac,weproposedthatTorprovideamechanismtoblocktheportsassociatedwithprotocolssuchasPOP3,IMAP,andTelnet.
Giventheeaseatwhichaneavesdroppingexitroutercanlogsensitiveuserinformation(suchasusernamesandpasswords),wedevelopedamethodfordetectingma-liciousloggingexitrouters,andprovidedevidencethattherearesuchroutersthatspecicallyloginsecureprotocolexittrac.
Asanalavenueofstudy,weshowthedisparityingeopoliticaldiversitybetweenTorclientsandrouters,andarguethatlocationdiversityiscurrentlyimpossibletoguaranteeunlessstepsaretakentoattractamorediversesetofrouters.
Duetoitspopularity,Torprovidesinsightintothechallengesofdeployingarealanonymityservice,andourhopeisthatthisworkwillencourageadditionalresearchaimedat(1)providingtoolstoenforceaccountabilitywhilepreservingstronganonymityproperties,(2)protectingusersfromunknowinglydisclosingsensitive/identifyinginformation,and(3)fosteringparticipationfromahighlydiversesetofrouters.
Acknowledgements.
WethankRogerDingledine,ParisaTabriz,andtheanonymousPETS2008reviewerswhosecommentsgreatlyimprovedthequalityofthispaper.
ThisresearchwaspartiallysupportedbytheNationalScienceFoundationundergrantITR-0430593.
References1.
Dingledine,R.
,Mathewson,N.
,Syverson,P.
:Tor:Thesecond-generationonionrouter.
In:Proceedingsofthe13thUSENIXSecuritySymposium(August2004)2.
Wendolsky,R.
,Herrmann,D.
,Federrath,H.
:Performancecomparisonoflow-latencyanonymisationservicesfromauserperspective.
In:Borisov,N.
,Golle,P.
(eds.
)PET2007.
Springer,Heidelberg(2007)3.
Goldberg,I.
:OnthesecurityoftheTorauthenticationprotocol.
In:Danezis,G.
,Golle,P.
(eds.
)PET2006.
LNCS,vol.
4258.
Springer,Heidelberg(2006)4.
Murdoch,S.
J.
:Hotornot:Revealinghiddenservicesbytheirclockskew.
In:13thACMConferenceonComputerandCommunicationsSecurity(CCS2006),Alexan-dria,VA(November2006)5.
Murdoch,S.
J.
,Danezis,G.
:Low-costtracanalysisofTor.
In:Proceedingsofthe2005IEEESymposiumonSecurityandPrivacy.
IEEEComputerSocietyPress,LosAlamitos(2005)6.
verlier,L.
,Syverson,P.
:Locatinghiddenservers.
In:Proceedingsofthe2006IEEESymposiumonSecurityandPrivacy.
IEEEComputerSocietyPress,LosAlamitos(2006)7.
Bauer,K.
,McCoy,D.
,Grunwald,D.
,Kohno,T.
,Sicker,D.
:Low-resourceroutingattacksagainstTor.
In:ProceedingsoftheWorkshoponPrivacyintheElectronicSociety(WPES2007),Washington,DC,USA(October2007)8.
Goldschlag,D.
M.
,Reed,M.
G.
,Syverson,P.
F.
:Hidingroutinginformation.
In:Anderson,R.
(ed.
)IH1996.
LNCS,vol.
1174.
Springer,Heidelberg(1996)76D.
McCoyetal.
9.
Sicker,D.
C.
,Ohm,P.
,Grunwald,D.
:Legalissuessurroundingmonitoringduringnetworkresearch.
In:IMC2007:Proceedingsofthe7thACMSIGCOMMconfer-enceonInternetmeasurement.
ACMPress,NewYork(2007)10.
Ethereal:Anetworkprotocolanalyzer,http://www.
ethereal.
com11.
Bauer,K.
,McCoy,D.
:Blockinsecureprotocolsbydefault(January2008),https://tor-svn.
freehaven.
net/svn/tor/trunk/doc/spec/proposals/129-reject-plaintext-ports.
txt12.
Zetter,K.
:Torresearcherwhoexposedembassye-mailpasswordsgetsraidedbySwedishFBIandCIA(November2007),http://blog.
wired.
com/27bstroke6/2007/11/swedish-researc.
html13.
Perry,M.
:Torow,https://www.
torproject.
org/svn/torflow/README14.
OpenDNS,http://www.
opendns.
com15.
Bethencourt,J.
,Franklin,J.
,Vernon,M.
:MappingInternetsensorswithproberesponseattacks.
In:Proceedingsofthe14thconferenceonUSENIXSecuritySym-posium,Baltimore,MD.
USENIXAssociation(2005)16.
Shinoda,Y.
,Ikai,K.
,Itoh,M.
:VulnerabilitiesofpassiveInternetthreatmonitors.
In:Proceedingsofthe14thconferenceonUSENIXSecuritySymposium,Baltimore,MD.
USENIXAssociation(2005)17.
Cesarini,P.
:CaughtintheNetwork.
In:TheChronicleofHigherEducation,Wash-ington,D.
C,vol.
53(February2007)18.
Tor:ResponsetemplateforTornodemaintainertoISP,http://www.
torproject.
org/eff/tor-dmca-response.
html19.
Dingledine,R.
:EFFislookingforTorDMCAtestcasevolunteers,http://archives.
seul.
org/or/talk/Oct-2005/msg00208.
html20.
Johnson,P.
C.
,Kapadia,A.
,Tsang,P.
P.
,Smith,S.
W.
:Nymble:AnonymousIP-addressblocking.
In:Borisov,N.
,Golle,P.
(eds.
)PET2007.
Springer,Heidelberg(2007)21.
AmericanRegistryforInternetNumbers,http://www.
arin.
net/index.
shtml22.
AsiaPacicNetworkInformationCentre,http://www.
apnic.
net23.
LatinAmerican&CaribbeanInternetAddressesRegistry,http://lacnic.
net/en24.
RipeNetworkCoordinationCentre,http://www.
ripe.
net25.
AfricanNetworkInformationCentre,http://www.
afrinic.
net26.
InernetWorldStats,http://www.
internetworldstats.
com27.
McCoy,D.
,Bauer,K.
,Grunwald,D.
,Tabriz,P.
,Sicker,D.
:Shininglightindarkplaces:Astudyofanonymousnetworkusage.
UniversityofColoradoTechnicalReportCU-CS-1032-07(2007)28.
Feamster,N.
,Dingledine,R.
:Locationdiversityinanonymitynetworks.
In:Pro-ceedingsoftheWorkshoponPrivacyintheElectronicSociety(WPES2004),Washington,DC,USA(October2004)