Detecting Traffic Snooping in Tor Using Decoys

  • Sambuddho Chakravarty
  • Georgios Portokalidis
  • Michalis Polychronakis
  • Angelos D. Keromytis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6961)


Anonymous communication networks like Tor partially protect the confidentiality of their users’ traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination.

We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.


Overlay Network Exit Node Overlay Node Exit Router Anonymous Communication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anonymizer, Inc.,
  2. 2.
  3. 3.
    Inside Net Neutrality: Is your ISP filtering content?,
  4. 4.
    Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise,
  5. 5.
    Tor Metrics Portal,
  6. 6.
  7. 7.
    Bennett, K., Grothoff, C.: GAP - practical anonymous networking. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 141–160. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Bowen, B.M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Baiting Inside Attackers Using Decoy Documents. In: Proceedings of the 5th International ICST Conference on Security and Privacy in Communication Networks (SecureComm), pp. 51–70 (September 2009)Google Scholar
  9. 9.
    Bowen, B.M., Kemerlis, V.P., Prabhu, P., Keromytis, A.D., Stolfo, S.J.: Automating the injection of believable decoys to detect snooping. In: Proceedings of the Third ACM Conference on Wireless Network Security (WiSec), pp. 81–86 (2010)Google Scholar
  10. 10.
    Bowen, B.M., Salem, M.B., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. IEEE Security and Privacy 7, 22–29 (2009)CrossRefGoogle Scholar
  11. 11.
    Chaum, D.L.: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  12. 12.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: A Type III Anonymous Remailer,
  13. 13.
    Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003), CrossRefGoogle Scholar
  14. 14.
    Dingledine, R., Mathewson, N., Syverson, P.: Onion Routing,
  15. 15.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proceedings of the 13th USENIX Security Symposium), pp. 303–319 (August 2004)Google Scholar
  16. 16.
  17. 17.
    The Honeynet Project,
  18. 18.
    Isdal, T., Piatek, M., Krishnamurthy, A., Anderson, T.: Privacy-preserving P2P data sharing with oneswarm. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), pp. 111–122 (2010)Google Scholar
  19. 19.
  20. 20.
    McCanne, S., Leres, C., Jacobson, V.: Tcpdump and Libpcap,
  21. 21.
    Mccoy, D., Bauer, K., Grunwald, D., Kohno, T., Sicker, D.: Shining light in dark places: Understanding the tor network. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 63–76. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Mulazzani, M., Huber, M., Weippl, E.R.: Tor HTTP usage and information leakage. In: De Decker, B., Schaumüller-Bichl, I. (eds.) CMS 2010. LNCS, vol. 6109, pp. 245–255. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Nikiforakis, N., Younan, Y., Joosen, W.: Hproxy: client-side detection of ssl stripping attacks. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 200–218. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Øverlier, L., Syverson, P.: Locating hidden servers. In: Proceedings of the IEEE Symposium on Security and Privacy (2006)Google Scholar
  25. 25.
    Provos, N.: A virtual honeypot framework. In: Proceedings of the 13th USENIX Security Symposium, pp. 1–14 (August 2004)Google Scholar
  26. 26.
    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 66–92 (1998)CrossRefGoogle Scholar
  27. 27.
    Sidiroglou, S., Stavrou, A., Keromytis, A.: Mediated overlay services (MOSES): Network security as a composable service. In: 2007 IEEE, Sarnoff Symposium, (April 30 - May 2) pp. 1–7 (2007)Google Scholar
  28. 28.
  29. 29.
    Spitzner, L.: Honeytokens: The Other Honeypot,
  30. 30.
    Spitzner, L.: Honeypots: Catching the insider threat. In: Proceedings of the 19th Annual Computer Security Applications Conference, ACSAC (2003)Google Scholar
  31. 31.
    Stoll, C.: Stalking the wily hacker. Communications of the ACM 31(5), 484–497 (1988)CrossRefGoogle Scholar
  32. 32.
    Stoll, C.: The cuckoo’s egg: tracking a spy through the maze of computer espionage. Doubleday, New York, NY, USA (1989)Google Scholar
  33. 33.
  34. 34.
    Weaver, N., Sommer, R., Paxson, V.: Detecting forged tcp reset packets. In: Proceedings of the 16th Network and Distributed System Security Symposium, NDSS (2009)Google Scholar
  35. 35.
    Wright, M.K., Adler, M., Levine, B.N., Shields, C.: An analysis of the degradation of anonymous protocols. In: Proceedings of the Network and Distributed Security Symposium, NDSS (2002)Google Scholar
  36. 36.
    Yuill, J., Zappe, M., Denning, D., Feer, F.: Honeyfiles: Deceptive Files for Intrusion Detection. In: Proceedings of the 2nd IEEE Workshop on Information Assurance (WIA), pp. 116–122 (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Sambuddho Chakravarty
    • 1
  • Georgios Portokalidis
    • 1
  • Michalis Polychronakis
    • 1
  • Angelos D. Keromytis
    • 1
  1. 1.Columbia UniversityNYUSA

Personalised recommendations