Detection and analysis of eavesdropping in anonymous communication networks


Anonymous communication networks, like Tor, partially protect the confidentiality of user traffic by encrypting all communications within the overlay network. However, when the relayed traffic reaches the boundaries of the network, toward its destination, the original user traffic is inevitably exposed to the final node on the path. As a result, users transmitting sensitive data, like authentication credentials, over such networks, risk having their data intercepted and exposed, unless end-to-end encryption is used. Eavesdropping can be performed by malicious or compromised relay nodes, as well as any rogue network entity on the path toward the actual destination. Furthermore, end-to-end encryption does not assure defense against man-in-the-middle attacks. In this work, we explore the use of decoys at multiple levels for the detection of traffic interception by malicious nodes of proxy-based anonymous communication systems. Our approach relies on the injection of traffic that exposes bait credentials for decoy services requiring user authentication, and URLs to seemingly sensitive decoy documents which, when opened, invoke scripts alerting about being accessed. Our aim was to entice prospective eavesdroppers to access our decoy servers and decoy documents, using the snooped credentials and URLs. We have deployed our prototype implementation in the Tor network using decoy IMAP, SMTP, and HTTP servers. During the course of over 30 months, our system has detected 18 cases of traffic eavesdropping that involved 14 different Tor exit nodes.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5


  1. 1.

    A TCP-based service can keep its IP address hidden (and thus its identity) by replacing the IP address with a hidden service URL. These URLs end in a virtual top-level domain called “.onion” and are resolved by a Tor clients while initiating connection to the hidden service.

  2. 2.

    In contrast to SMTP relay (port 25), SMTP through port 587 is dedicated to message submission for delivery only for users that have registered accounts on the server.

  3. 3.

    In other words, for each exit node that allows access to IMAP, we created a unique username and password. This unique association of the exit node and the exposed user credential helps identify the eavesdropping exit nodes that snoop on these exposed credentials and connect back to our decoy server.

  4. 4.

    Mail clients generally execute a set of commands on the server to fetch the various user directories associated with an account. The absence of such commands and zero payload length could be a strong indication that the adversary does not use any known mail client. We have studied the various protocol messages exchanged by various popular mail client programs.

  5. 5.

    This difference is primarily due to the different lengths of IMAP and SMTP messages. The overhead due to Tor protocol messages, involving circuit setup, key exchanges, accounting, and circuit termination, does not vary significantly between IMAP and SMTP.

  6. 6.

    By default, a fixed set of entry nodes used by Tor clients to defend against traffic analysis attacks that can be launched by malicious entry and exit nodes.


  1. 1.

    Anonymizer, Inc.

  2. 2.


  3. 3.

    Back, A., Möller, U., Stiglic, A.: Traffic analysis attacks and trade-offs in anonymity providing systems. In: Proceedings of the 4th International Workshop on Information Hiding(IHW), pp. 245–257. Springer, London (2001)

  4. 4.

    Known bad relays.

  5. 5.

    Balsa—An e-mail client for GNOME.

  6. 6.

    Bauer, K., McCoy, D., Grunwald, D., Kohno, T., Sicker, D.: Low-resource routing attacks against tor. In: Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society (WPES), pp. 11–20 (2007)

  7. 7.

    Bauer, K., McCoy, D., Grunwald, D., Sicker, D.: Bitblender: light-weight anonymity for bittorrent. In: Proceedings of the workshop on Applications of private and anonymous communications, AIPACa ’08, pp. 1:1–1:8. ACM, New York, NY, USA (2008) doi:10.1145/1461464.1461465

  8. 8.

    Bennett, K., Grothoff, C.: Gnunet: gnu’s decentralized anonymous and censorship-resistant P2P framework.

  9. 9.

    Bennett, K., Grothoff, C.: GAP—practical anonymous networking. In: Proceedings of the Privacy Enhancing Technologies Workshop (PET), pp. 141–160 (2003)

  10. 10.

    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: D-cubed.

  11. 11.

    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting inside attackers using decoy documents. In: Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm), pp. 51–70 (2009)

  12. 12.

    Bowen, B.M., Kemerlis, V.P., Prabhu, P., Keromytis, A.D., Stolfo, S.J.: Automating the injection of believable decoys to detect snooping. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 81–86 (2010)

  13. 13.

    Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7, 22–29 (2009). doi:10.1109/MSP.2009.109

    Article  Google Scholar 

  14. 14.

    Chakravarty, S., Polychronakis, M., Portokalidis, G., Keromytis, A.D.: Details of various eavesdropping incidents. http://dph72nibstejmee4.onion/decoys_via_tor/map.html

  15. 15.

    Charavarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: Detecting traffic snooping in tor using decoys. In: Proceedings of the 14th International Symposium on Recent Advances in Intrusion Detection, pp. 222–241 (2011)

  16. 16.

    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981)

    Article  Google Scholar 

  17. 17.

    Claws mail.

  18. 18.

    Desaster: kippo ssh honeypot.

  19. 19.

    Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Proceedings of the 2nd International Conference on Privacy Enhancing Technologies. PET’02, pp. 54–68. Springer, Berlin (2003)

  20. 20.

    Dingledine, R., Mathewson, N.: Tor path specification.;hb=HEAD;f=path-spec.txt

  21. 21.

    Dingledine, R., Mathewson, N., Syverson, P.: Onion Routing.

  22. 22.

    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium, pp. 303–319 (2004)

  23. 23.

    Douceur, J.R.: The sybil attack. In: Proceedings of International Workshop on Peer-to-Peer Systems (2001)

  24. 24.

    Stenberg, D.: kippo curl.

  25. 25.


  26. 26.


  27. 27.

    The Honeynet Project.

  28. 28.

    I2P Anonymous Network.

  29. 29.

    iOpus\(^{\rm TM}\): iMacros\(\copyright \).

  30. 30.

    Isdal, T., Piatek, M., Krishnamurthy, A., Anderson, T.: Privacy-preserving P2P data sharing with oneswarm. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pp. 111–122 (2010)

  31. 31.


  32. 32.

    Kmail—mail client.

  33. 33.

    McCanne, S., Leres, C., Jacobson, V.: Tcpdump and libpcap.

  34. 34.

    Mccoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.: Shining light in dark places: understanding the tor network. In: Proceedings of the 8th International Symposium on Privacy Enhancing Technologies (PETS), pp. 63–76 (2008)

  35. 35.

    Meyers, J.: IMAP4 ACL extension.

  36. 36.

    Mulazzani, M., Huber, M., Weippl, E.R.: Tor HTTP usage and information leakage. In: Proceedings of the IFIP Conference on Communications and Multimedia Security (CMS), pp. 245–255 (2010)

  37. 37.

    Palfrader, P.: Tor SSL MITM check.

  38. 38.

    Pound, C.: Chris Pound’s language machines.

  39. 39.

    Pound, C.: Language confluxer.

  40. 40.

    Pound, C.: Prop.

  41. 41.

    Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (2004)

  42. 42.

    Raymond, J.F.: Traffic analysis: protocols, attacks, design issues, and open problems. In: Proceedings of Designing Privacy Enhancing Technologies: Workshop on Design Issues in Anonymity and Unobservability, pp. 10–29. Springer, LNCS 2009 (2000)

  43. 43.

    Reed, M.G., Syverson, P.F., Goldschlag, D.M.: Anonymous connections and onion routing. IEEE J. Sel. Areas Commun. 16, 482–494 (1998)

    Article  Google Scholar 

  44. 44.

    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 66–92 (1998)

    Article  Google Scholar 

  45. 45.

    Services, O.U.C.: The university of oxford text archive.

  46. 46.

    Spitzner, L.: Honeytokens: the other honeypot.

  47. 47.

    Spitzner, L.: Honeypots: catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference (ACSAC) (2003)

  48. 48.

    Stoll, C.: Stalking the wily hacker. Commun. ACM 31(5), 484–497 (1988)

    Article  MathSciNet  Google Scholar 

  49. 49.

    Stoll, C.: The cuckoo’s egg: tracking a spy through the maze of computer espionage. Doubleday, New York (1989)

    Google Scholar 

  50. 50.

    Sylpheed-lightweight and user-friendly e-mail client.

  51. 51.

    Furry, T.: TOR exit-node doing MITM attacks.

  52. 52.

    Tor metrics portal.

  53. 53.

    Tor metrics portal: number of users.

  54. 54.

    Ts’o, T.: Password generator.

  55. 55.

    Winter, P., Lindskog, S.: Spoiled onions: exposing malicious tor exit relays. Technical Report, Karlstad University (2014). URL

  56. 56.

    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: deceptive files for intrusion detection. In: Proceedings of the 2nd IEEE Workshop on Information Assurance (WIA), pp. 116–122 (2004)

Download references


This work was supported by DARPA and ONR through Contracts DARPA-W011NF-11-1-0140 and ONR-MURI-N00014-07-1-090, respectively. Any opinions, findings, conclusions, or recommendations expressed herein are those of the authors and do not necessarily reflect those of the US Government, DARPA, or ONR.

Author information



Corresponding author

Correspondence to Sambuddho Chakravarty.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Chakravarty, S., Portokalidis, G., Polychronakis, M. et al. Detection and analysis of eavesdropping in anonymous communication networks. Int. J. Inf. Secur. 14, 205–220 (2015).

Download citation


  • Tor
  • Anonymity networks
  • Proxies
  • Eavesdropping
  • Decoys