Advertisement

Spoiled Onions: Exposing Malicious Tor Exit Relays

  • Philipp Winter
  • Richard Köwer
  • Martin Mulazzani
  • Markus Huber
  • Sebastian Schrittwieser
  • Stefan Lindskog
  • Edgar Weippl
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8555)

Abstract

Tor exit relays are operated by volunteers and together push more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions. First, we monitored the Tor network after developing two fast and modular exit relay scanners—one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks, thereby making the network safer for its users. All our source code is available under a free license.

Keywords

Exit Node Network Consensus MitM Attack Indian Node Relay Operator 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Alexa: The top 500 sites on the web (2013), http://www.alexa.com/topsites
  2. 2.
    Bernstein, D.J.: Curve25519: New Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006), http://cr.yp.to/ecdh/curve25519-20060209.pdf CrossRefGoogle Scholar
  3. 3.
    Le Blond, S., et al.: One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users. In: LEET. USENIX (2011), https://www.usenix.org/legacy/events/leet11/tech/full_papers/LeBlond.pdf
  4. 4.
    Le Blond, S., et al.: Spying the World from Your Laptop: Identifying and Profiling Content Providers and Big Downloaders in BitTorrent. In: LEET. USENIX (2010), https://www.usenix.org/legacy/event/leet10/tech/full_papers/LeBlond.pdf
  5. 5.
    Chakravarty, S., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: Detecting Traffic Snooping in Tor Using Decoys. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 222–241. Springer, Heidelberg (2011), http://www.cs.columbia.edu/~mikepo/papers/tordecoys.raid11.pdf CrossRefGoogle Scholar
  6. 6.
  7. 7.
    Dingledine, R.: Re: Holy shit I caught 1 (2006), http://archives.seul.org/or/talk/Aug-2006/msg00262.html
  8. 8.
    Dingledine, R., Mathewson, N.: Anonymity Loves Company: Usability and the Network Effect. In: WEIS (2006), http://freehaven.net/doc/wupss04/usability.pdf
  9. 9.
    Dingledine, R., Mathewson, N.: Tor Protocol Specification, https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=torspec.txt
  10. 10.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: USENIX Security. USENIX (2004), http://static.usenix.org/event/sec04/tech/full_papers/dingledine/dingledine.pdf
  11. 11.
    Electronic Frontier Foundation. HTTPS Everywhere (2013), https://www.eff.org/https-everywhere
  12. 12.
    Goldberg, I.: On the Security of the Tor Authentication Protocol. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 316–331. Springer, Heidelberg (2006), http://freehaven.net/anonbib/cache/tap:pet2006.pdf CrossRefGoogle Scholar
  13. 13.
    Haim, D.: SocksiPy - A Python SOCKS client module (2006), http://socksipy.sourceforge.net
  14. 14.
    Hodges, J., Jackson, C., Barth, A.: HTTP Strict Transport Security, HSTS (2012), https://tools.ietf.org/html/rfc6797
  15. 15.
    Hodges, J., Jackson, C., Barth, A.: RFC 6797: HTTP Strict Transport Security, HSTS (2012), https://tools.ietf.org/html/rfc6797
  16. 16.
    Huber, M., Mulazzani, M., Weippl, E.: Tor HTTP Usage and Information Leakage. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 245–255. Springer, Heidelberg (2010), http://freehaven.net/anonbib/cache/huber2010tor.pdf CrossRefGoogle Scholar
  17. 17.
    InformAction. NoScript (2013), http://noscript.net
  18. 18.
  19. 19.
    Thoughtcrime Labs. Convergence (2011), http://convergence.io
  20. 20.
    Langley, A.: Public key pinning (2011), https://www.imperialviolet.org/2011/05/04/pinning.html
  21. 21.
    Lowe, G., Winters, P., Marcus, M.L.: The Great DNS Wall of China. Tech. rep. New York University (2007), http://cs.nyu.edu/~pcw216/work/nds/final.pdf
  22. 22.
  23. 23.
  24. 24.
    McCoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.C.: Shining Light in Dark Places: Understanding the Tor Network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008), http://homes.cs.washington.edu/~yoshi/papers/Tor/PETS2008_37.pdf CrossRefGoogle Scholar
  25. 25.
    Paul, R.: Security expert used Tor to collect government e-mail passwords (2007), http://arstechnica.com/security/2007/09/security-expert-used-tor-to-collect-government-e-mail-passwords/
  26. 26.
    Perry, M., Clark, E., Murdoch, S.: The Design and Implementation of the Tor Browser [DRAFT] (2013), https://www.torproject.org/projects/torbrowser/design/
  27. 27.
    SkullSecurity. Passwords (2011), https://wiki.skullsecurity.org/Passwords
  28. 28.
    SoftCom, Inc. Email Hosting Services, http://mail2web.com
  29. 29.
    The Tor Project. ExoneraTor, https://exonerator.torproject.org
  30. 30.
    The Tor Project. Relays with Exit, Fast, Guard, Stable, and HSDir flags, https://metrics.torproject.org/network.html#relayflags
  31. 31.
  32. 32.
    The Tor Project. Stem Docs, https://stem.torproject.org
  33. 33.
    The Tor Project. TC: A Tor control protocol (Version 1), https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt
  34. 34.
  35. 35.
  36. 36.
    Torsocks: use socks-friendly applications with Tor, https://code.google.com/p/torsocks/
  37. 37.
    Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing. In: ATC. USENIX (2008), http://perspectivessecurity.files.wordpress.com/2011/07/perspectives_usenix08.pdf

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Philipp Winter
    • 1
  • Richard Köwer
    • 3
  • Martin Mulazzani
    • 2
  • Markus Huber
    • 2
  • Sebastian Schrittwieser
    • 2
  • Stefan Lindskog
    • 1
  • Edgar Weippl
    • 2
  1. 1.Karlstad UniversitySweden
  2. 2.SBA ResearchAustria
  3. 3.FH Campus WienAustria

Personalised recommendations