Abstract
We analyze information leaks in the lookup mechanisms of structured peer-to-peer (P2P) anonymous communication systems and how these leaks can be used to compromise anonymity. We show that the techniques used to combat active attacks on the lookup mechanism dramatically increase information leaks and the efficacy of passive attacks, resulting in a tradeoff between robustness to active and passive attacks.
We study this tradeoff in two P2P anonymous systems: Salsa and AP3. In both cases, we find that, by combining both passive and active attacks, anonymity can be compromised much more effectively than previously thought, rendering these systems insecure for most proposed uses. Our results hold even if security parameters are changed or other improvements to the systems are considered. Our study, therefore, shows the importance of considering these attacks in P2P anonymous communication.
- Back, A., Möller, U., and Stiglic, A. 2001. Traffic analysis attacks and trade-offs in anonymity providing systems. In Proceedings of the Information Hiding Workshop. I. S. Moskowitz Ed., Lecture Notes in Computer Science, vol. 2137. Springer, 245--247. Google Scholar
Digital Library
- Bauer, K., McCoy, D., Grunwald, D., Kohno, T., and Sicker, D. 2007. Low-resource routing attacks against Tor. In Proceedings of the ACM Workshop on Privacy in the Electronic Society. T. Yu Ed., ACM, New York, NY, 11--20. Google Scholar
Digital Library
- Bellovin, S. M. and Wagner, D. A., Eds. 2003. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society Press, Los Alamitos, CA.Google Scholar
- Berthold, O., Federrath, H., and Köhntopp, M. 2000. Project “anonymity and unobservability in the Internet”. In Proceedings of the 10th Conference on Computers, Freedom and Privacy. L. Cranor Ed., ACM, New York, NY, 57--65. Google Scholar
Digital Library
- Borisov, N. 2005. Anonymous routing in structured peer-to-peer overlays. Ph.D. thesis, UC Berkeley. Google Scholar
Digital Library
- Borisov, N., Danezis, G., Mittal, P., and Tabriz, P. 2007. Denial of service or denial of security? How attacks on reliability can compromise anonymity. In Proceedings of the 14th ACM Conference on Computer and Communications Security. 92--102. Google Scholar
Digital Library
- Boucher, P., Shostack, A., and Goldberg, I. 2000. Freedom systems 2.0 architecture. White paper, Zero Knowledge Systems, Inc.Google Scholar
- Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and Wallach, D. S. 2002. Secure routing for structured peer-to-peer overlay networks. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation. D. Culler and P. Druschel Eds., USENIX, Berkeley, CA, 299--314. Google Scholar
Digital Library
- Ciaccio, G. 2006. Improving sender anonymity in a structured overlay with imprecise routing. In Proceedings of the 6th Workshop on Privacy Enhancing Technologies. 190--207. Google Scholar
Digital Library
- Clarke, I., Sandberg, O., Wiley, B., and Hong, T. W. 2001. Freenet: A distributed anonymous information storage and retrieval system. In Proceedings of the International Workshop on Designing Privacy Enhancing Technologies: Design Issues in Anonymity and Unobservability. Springer Verlag, Berlin, 46--66. Google Scholar
Digital Library
- Cooke, E., Jahanian, F., and McPherson, D. 2005. The zombie roundup: Understanding, detecting, and disrupting botnets. In Proceedings of the Steps to Reducing Unwanted Traffic on the Internet Workshop. USENIX Association, Berkeley, CA, 6--6. Google Scholar
Digital Library
- Daly, D., Deavours, D. D., Doyle, J. M., Webster, P. G., and Sanders, W. H. 2000. Möbius: An extensible tool for performance and dependability modeling. In Computer Performance Evaluation. Modelling Techniques and Tools. B. R. Haverkort, H. C. Bohnenkamp, and C. U. Smith Eds., Lecture Notes in Computer Science, vol. 1786. Springer, 332--336. Google Scholar
Digital Library
- Danezis, G. 2003. Statistical disclosure attacks: Traffic confirmation in open environments. In Proceedings of the IFIP TC11 18th International Conference on Information Security (SEC). D. Gritzalis, S. di Vimercati, P. Samarati, and S. Katsikas Eds., 421--426.Google Scholar
- Danezis, G. and Clayton, R. 2006. Route fingerprinting in anonymous communications. In Proceedings of the IEEE Conference on Peer-to-Peer Computing. IEEE Computer Society, Los Alamitos, CA, 69--72. Google Scholar
Digital Library
- Danezis, G. and Golle, P., Eds. 2006. In Proceedings of the Privacy Enhancing Technologies. Lecture Notes in Computer Science, vol. 4258. Springer, Berlin. Google Scholar
Digital Library
- Danezis, G. and Syverson, P. 2007. Bridging and fingerprinting: Epistemic attacks on route selection. In Proceedings of the Privacy Enhancing Technologies Symposium. N. Borisov and I. Goldberg Eds., Lecture Notes in Computer Science, vol. 5134. Springer, Berlin, 151--166. Google Scholar
Digital Library
- Danezis, G., Dingledine, R., and Mathewson, N. 2003. Mixminion: Design of a Type III anonymous remailer protocol. In Proceedings of the IEEE Symposium on Security and Privacy. 2--15. Google Scholar
Digital Library
- Diaz, C., Seys, S., Claessens, J., and Preneel, B. 2002. Towards measuring anonymity. In Proceedings of the Workshop on Privacy Enhancing Technologies. 184--188. Google Scholar
Digital Library
- Dingledine, R. and Syverson, P., Eds. 2002. In Proceedings of the Workshop on Privacy Enhancing Technologies. Lecture Notes in Computer Science, vol. 2482. Springer.Google Scholar
- Dingledine, R., Mathewson, N., and Syverson, P. 2004. Tor: The second-generation onion router. In Proceedings of the USENIX Security Symposium. M. Blaze Ed., USENIX Association, Berkeley, CA, 303--320. Google Scholar
Digital Library
- Douceur, J. 2002. The sybil attack. In Proceedings of the 1st Workshop on Peer-to-Peer Systems. 251--260. Google Scholar
Digital Library
- Druschel, P., Kaashoek, F., and Rowstron, A., Eds. 2002. In Proceedings of the 1st International Workshop on Peer-to-Peer Systems (IPTPS). Lecture Notes in Computer Science, vol. 2429. Springer, Berlin. Google Scholar
Digital Library
- Federrath, H., Ed. 2000. In Proceedings of the International Workshop on Design Issues in Anonymity and Unobservability. Lecture Notes in Computer Science, vol. 2009. Springer, Berlin.Google Scholar
- Freedman, M. J. and Morris, R. 2002. Tarzan: A peer-to-peer anonymizing network layer. In Proceedings of the ACM Conference on Computer and Communications Security. R. Sandhu Ed., ACM, New York, NY, 193--206. Google Scholar
Digital Library
- Goodin, D. 2007. Tor at heart of embassy passwords leak. The Register.Google Scholar
- Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. 2008. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats. F. Monrose Ed., USENIX Association, Berkeley, CA. Google Scholar
Digital Library
- Hopper, N., Vasserman, E. Y., and Chan-Tin, E. 2007. How much anonymity does network latency leak? In Proceedings of the 14th ACM Conference on Computer and Communications Security. 82--91. Google Scholar
Digital Library
- I2P. 2003. I2P anonymous network. http://www.i2p2.de/index.html.Google Scholar
- Kaashoek, M. F. and Karger, D. R. 2003. Koorde: A simple degree-optimal distributed hash table. In Proceedings of the International Workshop on Peer-to-Peer Systems (IPTPS). F. Kaashoek and I. Stoica Eds., Lecture Notes in Computer Science, vol. 2735. Springer, Berlin, 98--107.Google Scholar
- Kapadia, A. and Triandopoulos, N. 2008. Halo: High-assurance locate for distributed hash tables. In Proceedings of the Network and Distributed System Security Symposium. C. Cowan and G. Vigna Eds., Internet Society, Reston, VA, 61--79.Google Scholar
- Kesdogan, D., Agrawal, D., and Penz, S. 2002. Limits of anonymity in open environments. In Proceedings of the Information Hiding Workshop. F. A. Petitcolas Ed., Lecture Notes in Computer Science, vol. 2578. Springer, Berlin, 53--69. Google Scholar
Digital Library
- Mathewson, N. and Dingledine, R. 2004. Practical traffic analysis: Extending and resisting statistical disclosure. In Proceedings of the Workshop on Privacy Enhancing Technologies. D. Martin and A. Serjantov Eds., Lecture Notes in Computer Science, vol. 3424. Springer, Berlin, 17--24. Google Scholar
Digital Library
- McLachlan, J., Tran, A., Hopper, N., and Kim, Y. 2009. Scalable onion routing with torsk. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 590--599. Google Scholar
Digital Library
- Mislove, A., Oberoi, G., Post, A., Reis, C., Druschel, P., and Wallach, D. S. 2004. AP3: Cooperative, decentralized anonymous communication. In Proceedings of the ACM SIGOPS European Workshop. M. Castro Ed., ACM, New York, NY, 30. Google Scholar
Digital Library
- Mittal, P. and Borisov, N. 2009. Shadowwalker: Peer-to-peer anonymous communication using redundant structured topologies. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 161--172. Google Scholar
Digital Library
- Möller, U., Cottrell, L., Palfrader, P., and Sassaman, L. 2003. Mixmaster Protocol---version 2. IETF Internet Draft.Google Scholar
- Murdoch, S. J. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security. 27--36. Google Scholar
Digital Library
- Murdoch, S. J. and Danezis, G. 2005. Low-cost traffic analysis of Tor. In Proceedings of the IEEE Symposium on Security and Privacy. V. Paxson and M. Waidner Eds., IEEE Computer Society Press, Los Alamitos, CA, 183--195. Google Scholar
Digital Library
- Murdoch, S. J. and Zieliński, P. 2007. Sampled traffic analysis by Internet-exchange-level adversaries. In Proceedings of the Privacy Enhancing Technologies Symposium. N. Borisov and P. Golle Eds., Lecture Notes in Computer Science, vol. 4776. Springer, 167--183. Google Scholar
Digital Library
- Nambiar, A. and Wright, M. 2006. Salsa: A structured approach to large-scale anonymity. In Proceedings of the 13th ACM Conference on Computer and Communications Secuity. 17--26. Google Scholar
Digital Library
- Nambiar, A. and Wright, M. 2007. The Salsa simulator. http://ranger.uta.edu/~mwright/code/salsa-sims.zip.Google Scholar
- Panchenko, A., Richter, S., and Rache, A. 2009. Nisan: Network information service for anonymization networks. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS’09). ACM, New York, NY, 141--150. Google Scholar
Digital Library
- Rajab, M., Zarfoss, J., Monrose, F., and Terzis, A. 2006. A multifaceted approach to understanding the botnet phenomenon. In Proceedings of the Internet Measurement Conference. P. Barford Ed., ACM, New York, NY, 41--52. Google Scholar
Digital Library
- Raymond, J.-F. 2000. Traffic analysis: Protocols, attacks, design issues, and open problems. In Proceedings of the International Workshop on Design Issues in Anonymity and Unobservability. 10--29. Google Scholar
Digital Library
- Reiter, M. and Rubin, A. 1998. Crowds: Anonymity for Web transactions. ACM Trans. Inf. Syst. Sec. 1, 1, 66--92. Google Scholar
Digital Library
- Rennhard, M. and Plattner, B. 2002. Introducing MorphMix: Peer-to-peer based anonymous Internet usage with collusion detection. In Proceedings of the Workshop on Privacy in Electronic Society. ACM, New York, NY, 91--102. Google Scholar
Digital Library
- Rowstron, A. and Druschel, P. 2001. Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems. In Proceedings of the IFIP/ACM International Conference on Distributed Systems Platforms (Middleware). G. Goos, J. Hartmanis, and J. van Leeuwen Eds., Lecture Notes in Computer Science, vol. 2218. Springer, Berlin, 329--350. Google Scholar
Digital Library
- Serjantov, A. and Danezis, G. 2002. Towards an information theoretic metric for anonymity. In Proceedings of the Workshop on Privacy Enhancing Techonologies. 259--263. Google Scholar
Digital Library
- Sherr, M., Loo, B. T., and Blaze, M. 2007. Towards application-aware anonymous routing. In Proceedings of the 2nd USENIX Workshop on Hot Topics in Security. USENIX Association, Berkeley, CA, 4:1--4:5. Google Scholar
Digital Library
- Sit, E. and Morris, R. 2002. Security considerations for peer-to-peer distributed hash tables. In Proceedings of the 1st International Workshop on Peer-to-Peer System. 261--269. Google Scholar
Digital Library
- Stoica, I., Morris, R., Liben-Nowell, D., Karger, D. R., Kaashoek, M. F., Dabek, F., and Balakrishnan, H. 2003. Chord: A scalable peer-to-peer lookup protocol for Internet applications. IEEE/ACM Trans. Netw. 11, 1, 17--32. Google Scholar
Digital Library
- Syverson, P., Tsudik, G., Reed, M., and Landwehr, C. 2000. Towards an analysis of onion routing security. In Proceedings of the International Workshop on Design Issues in Anonymity and Unobservability. 96--114. Google Scholar
Digital Library
- Tabriz, P. and Borisov, N. 2006. Breaking the collusion detection mechanism of MorphMix. In Proceedings of the 6th Workshop on Privacy Enhancing Techonologies. 368--383. Google Scholar
Digital Library
- The Tor Project. Tor metrics portal, http://metrics.torproject.org/ (last accessed 2/11).Google Scholar
- Wallach, D. 2002. A survey of peer-to-peer security issues. In Proceedings of the International Symposium on Software Security. M. Okada, B. Pierce, A. Scedrov, H. Tokuda, and A. Yonezawa Eds., Lecture Notes in Computer Science, vol. 2609. Springer, Berlin, 253--258. Google Scholar
Digital Library
- Wang, Q., Mittal, P., and Borisov, N. 2010. In search of an anonymous and secure lookup: Attacks on structured peer-to-peer anonymous communication systems. In Proceedings of the ACM Conference on Computer and Communications Security (CCS’10). A. D. Keromytis and V. Shmatikov Eds., ACM. Google Scholar
Digital Library
- Wright, M., Adler, M., Levine, B. N., and Shields, C. 2002. An analysis of the degradation of anonymous protocols. In Proceedings of the Network and Distributed System Security Symposium. P. van Oorschot and V. Gligor Eds., The Internet Society, Reston, VA, 39--50.Google Scholar
- Wright, M., Adler, M., Levine, B. N., and Shields, C. 2003. Defending anonymous communication against passive logging attacks. In Proceedings of the IEEE Symposium on Security and Privacy. 28--41. Google Scholar
Digital Library
- Wright, M., Adler, M., Levine, B. N., and Shields, C. 2004. The predecessor attack: An analysis of a threat to anonymous communications systems. ACM Trans. Inf. Syst. Secur. 4, 7, 489--522. Google Scholar
Digital Library
- Wright, R. and di Vimercati, S. D. C., Eds. 2006. In Proceedings of the The 13th ACM Conference on Computer and Communications Security. ACM, New York, NY.Google Scholar
- Wright, R. and Syverson, P., Eds. 2007. In Proceedings of the 14th ACM Conference on Computer and Communications Security. ACM, New York, NY.Google Scholar
- Zetter, K. 2010. Wikileaks and Tor. http://www.wired.com/threatlevel/2010/06/wikileaks-documents/.Google Scholar
Index Terms
Information Leaks in Structured Peer-to-Peer Anonymous Communication Systems
Recommendations
In search of an anonymous and secure lookup: attacks on structured peer-to-peer anonymous communication systems
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityThe ability to locate random relays is a key challenge for peer-to-peer (P2P) anonymous communication systems. Earlier attempts like Salsa and AP3 used distributes hash table lookups to locate relays, but the lack of anonymity in their lookup mechanisms ...
Information leaks in structured peer-to-peer anonymous communication systems
CCS '08: Proceedings of the 15th ACM conference on Computer and communications securityWe analyze information leaks in the lookup mechanisms of structured peer-to-peer anonymous communication systems and how these leaks can be used to compromise anonymity. We show that the techniques that are used to combat active attacks on the lookup ...
An anonymity mechanism with reduced server-side cost in peer-to-peer networks
In peer-to-peer (P2P) networks, each peer's trustworthiness is evaluated according to its pseudonym's rating values given by other peers. One of the fundamental challenges in peer-to-peer networks is to protect peers' identity privacy on the communication ...






Comments