Breaking Anonymity

Seminar Guide -

Prof. Mrs. M. M. Chaple
Seminar By

Amit Watve
T.E. Computer II
Roll No. : 43088
Tor is a free software for enabling online anonymity and censorship resistance.

Tor directs Internet traffic through a free, worldwide, volunteer network
consisting of more than five thousand relays to conceal a user's location or usage
from anyone conducting network surveillance or traffic analysis.

Tor's hidden services let users publish web sites and other services without
needing to reveal the location of the site.
What is ?
How does work?
Exploitation of
Tor is used in illegal activities

Gain access to censored information
Unauthorized leaks of sensitive information
Copyright infringement
Distribution of illegal sexual content
Selling of controlled substances
Money laundering

The key is to target those who would misuse the technology, and not the technology
itself.
Alice (i.e., Client): The client runs a local software called onion proxy (OP) to
anonymize the client data into Tor.
Bob (i.e., Server): It runs TCP applications such as a Web service.
Onion routers (ORs): Onion routers are special proxies that relay the application
data between Alice and Bob. In Tor, transport-layer security (TLS) connections are
used for the overlay link encryption between two onion routers.
Terminology
The Cell- Counting Attack
(Overview)
To prove that the client (Alice) is communicating with a suspicious server (Bob),
this attack method exploits the dynamic sizing of Tor data packets called cells.

By subtly manipulating the sizes of sequential packets, an OR at the server
embeds a secret signal in the communication stream.

Another OR at the client side detects and recovers the embedded signal,
hence proving that the communication came from the suspicious server.

Packet size vs. Time No. of packets vs. Packet size

Tor packs the application data into equal-sized cells = 512 B.

However, the size of IP packets in the Tor network are dynamic.

The Cell- Counting Attack
(Steps)
Step 1: Selecting the Target:
OR connected to Bob logs Bobs information-IP address, port, circuit ID etc.

Attacker skips first two cells sent from server to client (these cells simply contain
information related to connection establishment and not actual data.)

All the following cells are CELL_RELAY_DATA cells, which transmit actual data end-
to-end.

The attacker begins embedding the signal in these data cells as shown in
the next step.
Step 2: Encoding the Signal:
CELL_RELAY_DATA cells are flushed from ORs circuit queue to output buffer
when write event is called.

A secret signal is embedded into traffic by manipulating number of cells flushed
to output buffer.

In order to encode bit 1, the attacker flushes three cells from the circuit queue.
In order to encode bit 0, the attacker flushes only one cell from the circuit
queue.

Once the number of the cells is adequate the attacker calls the circuit write event
promptly and all the cells are flushed to the output buffer immediately.
Processing the cells at the onion router :
Step 3: Recording Packets:
An accomplice of the attacker is at an OR connected to Alice, and records
incoming cells to discover the embedded signal.

Here, too, the connection establishing cells are skipped and cells arriving
thereafter at the circuit queue are recorded.

The signal embedded in the recorded cells is then decoded, as shown in the next
step.

Step 4: Decoding Signals at Entry Onion Routers
(Distortion of the Signal)
Let C= {C
0
, C1.C
i
.C
m-1
} be the cell numbers recorded in the circuit queue at the entry
onion router, and the original signal id denoted by S= {S
0
,S
1
,.,S
j
,S
n-1
}.
Type-I distortion indicates that the original signal Sj is divided into k+1 separate cells.
Type-II distortion indicates that the last part Sj of is merged with Sx.
Type-III distortion indicates that original signals are merged into a signal packet.
Type-IV distortion indicates that a part of Sj+k is merged into the following cells.
VS
The National Security Agency (NSA) is a U.S. intelligence agency responsible for
the production and management of signals intelligence (SIGINT) and information
assurance for the United States government.

It is Led by the Director of the National Security Agency, General Keith B.
Alexander, who also serves as Chief of the Central Security Service .

In 2013, the extent of the NSA's secret surveillance programs was revealed to the
public by Edward Snowden.

According to the leaked documents, the NSA successfully deanonymized and
apprehended Freedom Hostings Tor servers by using an attack codename
EgotisticalGiraffe.
The National Security Agency and Tor
Exploiting the Tor Browser Bundle
The NSA attacks we found individually target Tor users by exploiting vulnerabilities in
their Firefox browsers, and not the Tor application directly.

It was discovered that the Firefox browsers in many older versions of the Tor Browser
Bundle were vulnerable to a JavaScript attack, which was being exploited to send
users' IP addresses and Windows computer names to the attackers.

EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML
extension for JavaScript. This vulnerability exists in Firefox 11.0 -- 16.0.2, as well as
Firefox 10.0 ESR -- the Firefox version used until recently in the Tor browser bundle.


The QUANTUM System
To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships
with US telecoms companies. the NSA places secret servers, codenamed Quantum, at
key places on the Internet backbone.

This placement ensures that they can react faster than other websites can. By
exploiting that speed difference, these servers can impersonate a visited website to
the target before the legitimate website can respond, thereby tricking the target's
browser to visit a Foxacid server.

The NSA uses these fast Quantum servers to execute a packet injection attack, which
surreptitiously redirects the target to the FoxAcid server

The FOXACID System

FoxAcid is the internet-enabled system, used by NSA, capable of attacking target
computers in a variety of different ways.
It is a Windows 2003 computer configured with custom software and a series of
Perl scripts. These servers are run by the NSA's Tailored Access Operations, or TAO.
TAO have normal-looking domain names, and can be visited by any browser from
anywhere; ownership of those domains cannot be traced back to the NSA.
However, if a browser tries to visit a FoxAcid server with a special URL, called a
FoxAcid tag, the server attempts to infect that browser, to take control of it. FoxAcid
tags are designed to look innocuous, so that anyone who sees them would not be
suspicious.

http://baseball2.2ndhalfplays.com/nested/attribs/bins/1/define/forms9952_z1zzz.html
Conclusion

In this seminar, we have learned about Tor and its advantages and disadvantages. We
have also seen how it is used for unethical and sometimes illegal purposes.

The cell counting attack is a unique attack in such a way that it is difficult to detect and
is able to quickly and accurately confirm the anonymous communication
relationship among users on Tor.

We also saw how NSA successfully broke Tors hidden services and were able to
apprehend Freedom Hosting servers.

It has also been established by the NSA that it is not able to deanonymize the entire
Tor network all the time. It is only possible to deanonymize all the users for a
moment of time or one user all the time .
References

Zhen Ling; Junzhou Luo; Wei Yu; Xinwen Fu; Dong Xuan; Weijia Jia, "A New Cell-
Counting-Based Attack Against Tor," Networking, IEEE/ACM Transactions on , vol.20,
no.4, pp.1245,1261, Aug. 2012

Zhang, Lu, et al. "Application-level attack against Tor's hidden service." Pervasive
Computing and Applications (ICPCA), 2011 6th International Conference on. IEEE,
2011.

www.torproject.org

Leaked papers by Edward Snowden
Thank You !