Abstract
Low-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by “local” adversaries who control only a few machines and have low enough delay to support anonymous use of network services like Web browsing and remote login. One consequence of these goals is that these services leak some information about the network latency between the sender and one or more nodes in the system. We present two attacks on low-latency anonymity schemes using this information. The first attack allows a pair of colluding Web sites to predict, based on local timing information and with no additional resources, whether two connections from the same Tor exit node are using the same circuit with high confidence. The second attack requires more resources but allows a malicious Web site to gain several bits of information about a client each time he visits the site. We evaluate both attacks against two low-latency anonymity protocols—the Tor network and the MultiProxy proxy aggregator service—and conclude that both are highly vulnerable to these attacks.
- 2008. TOR node status information. https://torstat.xenobite.edu/.Google Scholar
- Back, A., Möller, U., and Stiglic, A. 2001. Traffic analysis attacks and trade-offs in anonymity providing systems. In Proceedings of Information Hiding Workshop (IH'01). Springer-Verlag, Berlin, 245--257. Google Scholar
Digital Library
- Blum, A., Song, D., and Venkataraman, S. 2004. Detection of interactive stepping stones: Algorithms and confidence bounds. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID'04). Springer, Berlin.Google Scholar
- Chaum, D. L. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Comm. ACM 24, 2, 84--88. Google Scholar
Digital Library
- Chroboczek, J. 2003--2008. Polipo--A caching web proxy. http://www.pps.jussieu.fr/jch/software/polipo/.Google Scholar
- Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., and Bowman, M. 2003. PlanetLab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33, 3, 3--12. Google Scholar
Digital Library
- Costa, M., Castro, M., Rowstron, A., and Key, P. 2004. PIC: Practical internet coordinates for distance estimation. In Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04). IEEE, Los Alamitos, CA, 178--187. Google Scholar
Digital Library
- Dabek, F., Cox, R., Kaashoek, F., and Morris, R. 2004. Vivaldi: A decentralized network coordinate system. In Proceedings of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM'04). ACM, New York, 15--26. Google Scholar
Digital Library
- Danezis, G. 2003. Statistical disclosure attacks: Traffic confirmation in open environments. In Proceedings of Security and Privacy in the Age of Uncertainty (SEC'03). Kluwer, The Netherlands, 421--426.Google Scholar
Cross Ref
- Danezis, G., Dingledine, R., and Mathewson, N. 2003. Mixminion: Design of a type III anonymous remailer protocol. In Proceedings of the 2003 IEEE Symposium on Security and Privacy (SP'03). IEEE, Los Alamitos, CA, 2. Google Scholar
Digital Library
- Díaz, C. and Serjantov, A. 2003. Generalizing mixes. In Proceedings of Privacy Enhancing Technologies Workshop (PET'03). Springer-Verlag, Berlin.Google Scholar
- Dingledine, R., Mathewson, N., and Syverson, P. F. 1999. Anonymity bibliography. http://freehaven.net/anonbib.Google Scholar
- Dingledine, R., Mathewson, N., and Syverson, P. F. 2004. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Fawcett, T. 2006. An introduction to ROC analysis. Pattern Recogn. Lett. 27, 8, 861--874. Google Scholar
Digital Library
- Federrath, H. and Köpsell, S. 2006. JAP: Java anonymous proxy. http://anon.inf.tu-dresden.de/.Google Scholar
- Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. IETF RFC 2616: Hypertext transfer protocol -- HTTP/1.1. http://www.ietf.org/rfc/rfc2616.txt. Google Scholar
Digital Library
- Gil, T. M., Kaashoek, F., Li, J., Morris, R., and Stribling, J. 2005. The “King” data set. http://pdos.csail.mit.edu/p2psim/kingdata/.Google Scholar
- Gueye, B., Ziviani, A., Crovella, M., and Fdida, S. 2006. Constraint-based geolocation of Internet hosts. IEEE/ACM Trans. Networking 14, 6, 1219--1232. Google Scholar
Digital Library
- Gummadi, K. P., Saroiu, S., and Gribble, S. D. 2002. King: Estimating latency between arbitrary Internet end hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement. ACM, New York, 5--18. Google Scholar
Digital Library
- Hintz, A. 2002. Fingerprinting Web sites using traffic analysis. In Proceedings of the Privacy Enhancing Technologies Workshop (PET'02). Springer-Verlag, Berlin. Google Scholar
Digital Library
- Hopper, N., Vasserman, E. Y., and Chan-Tin, E. 2007. How much anonymity does network latency leak? In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS'07). ACM, New York, 82--91. Google Scholar
Digital Library
- jrandom. 2007. I2P. http://www.i2p.net/.Google Scholar
- Kesdogan, D., Egner, J., and Büschkes, R. 1998. Stop-and-go MIXes: Providing probabilistic anonymity in an open system. In Proceedings of the Information Hiding Workshop (IH'98). Springer-Verlag, Berlin.Google Scholar
- Ledlie, J., Gardner, P., and Seltzer, M. 2007. Network coordinates in the wild. In Proceedings of the 4th USENIX Symposium on Network Systems Design and Implementation (NSDI). USENIX, Berkeley, CA. Google Scholar
Digital Library
- Mathewson, N. and Dingledine, R. 2004. Practical traffic analysis: Extending and resisting statistical disclosure. In Proceedings of the Privacy Enhancing Technologies Workshop (PET'04). Springer, Berlin, 17--34. Google Scholar
Digital Library
- Moeller, U., Cottrell, L., Palfrader, P., and Sassaman, L. 2005. IETF draft: Mixmaster protocol version 2. http://www.ietf.org/internet-drafts/draft-sassaman-mixmaster-03. txt.Google Scholar
- Murdoch, S. J. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS). ACM, New York. Google Scholar
Digital Library
- Murdoch, S. J. and Danezis, G. 2005. Low-cost traffic analysis of Tor. In Proceedings of the 2005 IEEE Symposium on Security and Privacy. IEEE, Los Alamitos, CA, 183--195. Google Scholar
Digital Library
- Ng, T. E. and Zhang, H. 2004. A network positioning system for the Internet. In Proceedings of the USENIX Conference. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Oikarinen, J. and Reed, D. 1993. IETF RFC 1459: Internet relay chat protocol. http://www. ietf.org/rfc/rfc1459.txt. Google Scholar
Digital Library
- Øverlier, L. and Syverson, P. 2006. Locating hidden servers. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP'06). IEEE, Los Alamitos, CA, 100--114. Google Scholar
Digital Library
- Panchenko, D. 2006. Lecture Notes of 18.443, Statistics for Applications. MIT Open Courseware Projec. http://ocw.mit.edu/OcwWeb/Mathematics/18-443Fall-2006/CourseHome/index.htm.Google Scholar
- Reiter, M. K. and Rubin, A. D. 1998. Crowds: Anonymity for Web transactions. ACM Trans. Inf. Syst. Secur. 1, 1, 66--92. Google Scholar
Digital Library
- Rennhard, M. and Plattner, B. 2002. Introducing MorphMix: Peer-to-peer based anonymous Internet usage with collusion detection. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society. ACM, New York, 91--102. Google Scholar
Digital Library
- Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and Schooler, E. 2002. SIP: Session initiation protocol. IETF RFC 3261. http://tools.ietf.org/html/rfc3261. Google Scholar
Digital Library
- Serjantov, A. and Sewell, P. 2003. Passive attack analysis for connection-based anonymity systems. In Proceedings of 8th European Symposium on Research in Computer Security (ESORICS'03). Springer, Berlin.Google Scholar
- Spring, N., Wetherall, D., and Anderson, T. 2003. Scriptroute: A public Internet measure-ment facility. In Proceedings of the USENIX Symposium on Internet Technologies and Systems (USITS). USENIX, Berkeley, CA, 225--238. Google Scholar
Digital Library
- Syverson, P., Tsudik, G., Reed, M., and Landwehr, C. 2000. Towards an analysis of onion routing security. In Proceedings of the Workshop on Design Issues in Anonymity and Unobservability. Springer-Verlag, Berlin, 96--114. Google Scholar
Digital Library
- Wong, B., Stoyanov, I., and Sirer, E. G. 2006. Geolocalization on the Internet through constraint satisfaction. In Proceedings of the USENIX Workshop on Real, Large, Distributed Systems. USENIX, Berkeley, CA. Google Scholar
Digital Library
- Wright, M., Adler, M., Levine, B. N., and Shields, C. 2003. Defending anonymous communication against passive logging attacks. In Proceedings of the 2003 IEEE Symposium on Security and Privacy. IEEE, Los Alamtios, CA. Google Scholar
Digital Library
Index Terms
How much anonymity does network latency leak?
Recommendations
How much anonymity does network latency leak?
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityLow-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by "local" adversaries who control only a few machines, and have low enough delay to support anonymous use of ...
Design principles for low latency anonymous network systems secure against timing attacks
ACSW '07: Proceedings of the fifth Australasian symposium on ACSW frontiers - Volume 68Low latency anonymous network systems, such as Tor, were considered secure against timing attacks when the threat model does not include a global adversary. In this threat model the adversary can only see part of the links in the system. In a recent ...
Personalised anonymity for microdata release
Individual privacy protection in the released data sets has become an important issue in recent years. The release of microdata provides a significant information resource for researchers, whereas the release of person‐specific data poses a threat to ...






Comments