identifying and characterizing sybils in the tor network
play

Identifying and characterizing Sybils in the Tor network August 12, - PowerPoint PPT Presentation

Jul 27, 2023 •33 likes •313 views

Identifying and characterizing Sybils in the Tor network August 12, 2016 USENIX Security Symposium Philipp Winter Princeton University and Karlstad University Roya Ensafi Princeton University Karsten Loesing The Tor Project Nick Feamster

  1. Identifying and characterizing Sybils in the Tor network August 12, 2016 USENIX Security Symposium Philipp Winter Princeton University and Karlstad University Roya Ensafi Princeton University Karsten Loesing The Tor Project Nick Feamster Princeton University

  2. 2

  3. The double-edged sword of volunteer-run networks ● The Tor code is developed by The Tor Project ● The Tor network is run by volunteers ● Currently ~7,000 relays Tor relays as of Aug 2016 ● Low barrier of entry 3

  4. The double-edged sword of volunteer-run networks Single attacker ● The Tor code is developed by The Tor Project controls many “Sybil” relays ● The Tor network is run by volunteers ● Currently ~7,000 relays ● Low barrier of entry 4

  5. 5

  6. Existing Sybil defenses don’t help ● Social network-based defenses don’t apply ● Proof-of-work-based defenses inherent to running a relay ● Instead, we leverage two observations to detect Sybils Sybils often controlled similarly ○ ○ Sybils often configured similarly Nickname IP address ORPort DirPort Flags Version OS Bandwidth Unnamed 204.45.15.234 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.15.235 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.15.236 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.15.237 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.250.10 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.250.11 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.250.12 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.250.13 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 Unnamed 204.45.250.14 9001 9030 Fast|Guard|HSDir|Stable|Running|Valid|V2Dir 0.2.4.18-rc FreeBSD 26214400 6

  7. Passive dataset ● The Tor Project archives lots of data ○ Available at collector.torproject.org ● Network consensus hourly published ○ List of currently-running relays ● We use ~100 GiB of archived data Tells us network state on any given date since 2005 ○ 7

  8. Active dataset ● Used exit relay scanner exitmap Runs arbitrary network task over all ~1,000 exit relays ○ ○ Sends decoy traffic over exit relays ● Wrote exitmap modules to detect HTML and HTTP tampering ○ Checks if decoy traffic is modified by exit relay Ran modules for 18 months ○ ● Found 251 malicious relays that serve as ground truth Most of them were Sybils ○ ○ Many attempted to steal Bitcoins Some injected JavaScript ○ 8

  9. Introducing sybilhunter ● New tool we developed and maintain ○ Freely available at nymity.ch/sybilhunting/ ~5,000 lines of code in golang ○ ● Implements four analysis methods ○ Network churn ○ Relay uptime visualisation ○ Nearest-neighbour ranking ○ Fingerprint frequency 9

  10. Visualizing uptimes (method #1) ● Each hour , Tor publishes new consensus ● Allows us to create binary uptime sequences for Tor relays Date State 2016-07-25 10:00 Online 2016-07-25 11:00 2016-07-25 12:00 Offline 2016-07-25 13:00 Online 2016-07-25 14:00 2016-07-25 15:00 10

  11. Visualizing uptimes (method #1) ● Each hour , Tor publishes new consensus ● Allows us to create binary uptime sequences for Tor relays Date R 1 R 2 R 3 R 4 2016-07-25 10:00 2016-07-25 11:00 2016-07-25 12:00 2016-07-25 13:00 2016-07-25 14:00 2016-07-25 15:00 11

  12. Visualizing uptimes (method #1) ● Each hour , Tor publishes new consensus ● Allows us to create binary uptime sequences for Tor relays Date R 1 R 2 R 3 R 4 Critical part is sorting 2016-07-25 10:00 columns. We use single-linkage clustering. 2016-07-25 11:00 2016-07-25 12:00 2016-07-25 13:00 2016-07-25 14:00 2016-07-25 15:00 12

  13. Visualizing uptimes (method #1) ● Each hour , Tor publishes new consensus ● Allows us to create binary uptime sequences for Tor relays Date R 1 R 2 R 3 R 4 Sorted columns make it 2016-07-25 10:00 easier to spot Sybils. 2016-07-25 11:00 2016-07-25 12:00 2016-07-25 13:00 2016-07-25 14:00 2016-07-25 15:00 13

  14. Visualizing uptimes (method #1) ● Each hour , Tor publishes new consensus ● Allows us to create binary uptime sequences for Tor relays Date R 1 R 2 R 3 R 4 2016-07-25 10:00 2016-07-25 11:00 2016-07-25 12:00 Highlight identical uptime 2016-07-25 13:00 sequences to facilitate 2016-07-25 14:00 visual inspection 2016-07-25 15:00 14

  15. 2,034 relays in July 2014 Time Also run by The Tor Project CMU/SEI blocked CMU/SEI’s relays Relay index 15

  16. 1,629 relays in June 2010 ~500 relays on PlanetLab relays “for research” Time Relay index 16

  17. 1,920 relays in July 2012 ~100 relays from Russia and Germany Time Relay index 17

  18. 1,920 relays in July 2015 Probably Sybils, but not recognized as such Time Relay index 18

  19. Network churn (method #2) ● Uptime images provide very fine-grained view ● Churn between two subsequent consensuses ○ Each hour, we calculate new churn values ○ ○ ● Tor network grew more stable ○ Median decreased from 0.04 (2008) to 0.02 (2015) 19

  20. Changing fingerprints (method #3) ● Generally, Tor relays don’t change their fingerprints Fingerprint is 40-digit, relay-specific hash over public key ○ ● Systematic changes can be sign of DHT manipulation ● Excerpt from March 2013: ○ 54.242.125.205 (24 unique fingerprints) 54.242.232.162 (24 unique fingerprints) 54.242.42.137 (24 unique fingerprints) 54.242.79.68 (24 unique fingerprints) 54.242.248.129 (24 unique fingerprints) 54.242.151.229 (24 unique fingerprints) 54.242.198.54 (24 unique fingerprints) See S&P’13 paper “Trawling for Tor Hidden Services” ○ 20

  21. Nearest neighbour ranking (method #4) ● Exitmap occasionally discovered malicious relays Were there more , but we failed to find them? ○ ○ Given relay R 1 , what are its most similar “neighbours”? ● Rank relay’s nearest neighbour by configuration similarity ○ First, turn relay configurations into string ○ Then, calculate Levenshtein distance to “reference” relay ● Example of Levenshtein distance being six ○ Four modifications Two deletions ○ 21

  22. Nearest neighbour search in action ● Tool available at nymity.ch/sybilhunting/ 22

  23. Our results in a nutshell ● Studied twenty Sybil groups → lower bound Purpose # of Sybil groups Description MitM 7 Attempted to steal Bitcoins by manipulating Tor exit traffic Botnet 2 Relays seemed part of botnet DoS 1 Attempted to (unsuccessfully) disable Tor network Research 4 Various live experiments, mostly on hidden services Unknown 6 Purpose unclear, perhaps benign 23

  24. Discussion of “Bitcoin Sybils” ● Attempted to steal Bitcoins from Tor users ○ All Sybils were exit relays Original: 1 4R wtr11Mkc6wix9isJ7SPFZMY4Rq7st7a ○ Transparent rewriting of Bitcoin addresses Resurfaced after The Tor Project blocked relays ● ○ Game of whack-a-mole ○ Went on for many months Fake: 1 4R W9mkoDosyCxzupWTVuLVqs5T4FSeBx7 24

  25. Limitations ● Determining intent is hard ● Our results are a lower bound ● Sybilhunter works best against ignorant attacker ○ Open analysis framework, secret parameters ● Hard to exposure future attacks 25

  26. Discussion ● Our adversaries are often lazy and we can exploit that ● Different types of Sybils call for different methods ● Academic research not harmless by definition ○ research.torproject.org/safetyboard.html ● Methods are general and apply to other networks as well ● Crowdsourcing successful 26

  27. Acknowledgements ● Thanks to ○ Georg Koppen Prateek Mittal ○ ○ Stefan Lindskog Tor developers and community ○ Roya Ensafi Karsten Loesing Nick Feamster ○ Tudor Dumitraş (our shepherd) ● Open code, data, visualisations: nymity.ch/sybilhunting/ ○ ● Contact phw@nymity.ch ○ ○ @__phw 27

  28. Acknowledgements ● Thanks to Roya is looking for a ○ Georg Koppen faculty position! Prateek Mittal ○ ○ Stefan Lindskog Tor developers and community ○ Roya Ensafi Karsten Loesing Nick Feamster ○ Tudor Dumitraş (our shepherd) ● Open code, data, visualisations: nymity.ch/sybilhunting/ ○ ● Contact phw@nymity.ch ○ ○ @__phw 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Identifying and Characterizing Nodes Important to Community Using the Spectrum of the graph

Identifying and Characterizing Nodes Important to Community Using the Spectrum of the graph

Identifying and Characterizing Nodes Important to Community Using the Spectrum of the graph Citation => Published in volume 6 of the journal PLoS ONEs November 2011 edition => Authors: Yang Wang, Zengru Di, Ying Fan all from the

286 views • 25 slides
Proteomics The process of identifying, characterizing, and quantifying all expressed proteins in

Proteomics The process of identifying, characterizing, and quantifying all expressed proteins in

11/29/2012 Proteomics The process of identifying, characterizing, and quantifying all expressed proteins in an organism under one or several conditions. Electrophoresis Sodium dodecyl sulfate polyacrylamide gel electrophoresis (SDS-PAGE)

244 views • 12 slides
CS 525M Mobile and Ubiquitous Computing Seminar Characterizing User Behavior and Network

CS 525M Mobile and Ubiquitous Computing Seminar Characterizing User Behavior and Network

CS 525M Mobile and Ubiquitous Computing Seminar Characterizing User Behavior and Network Performance in a Public Wireless LAN Balachandran, Voelker, Bahl, Rangan Presented by Mike Scaviola ! Lamp Time Expired Outline Introduction

350 views • 19 slides
Characterizing naval team readiness through social network analysis Jan Maarten Schraagen &

Characterizing naval team readiness through social network analysis Jan Maarten Schraagen &

Characterizing naval team readiness through social network analysis Jan Maarten Schraagen & Wilfried Post Overview Team performance measurement Social network analysis Case study in naval teamwork Conclusions, lessons learned and

302 views • 16 slides
Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying

Identifying Network Traffic Activity Via Flow Sizes Overview Motivation identifying activity via payload Theory behind the idea Measuring NetFlow Measuring DNS traffic captures Implications and future work Motivation

580 views • 17 slides
EWB Network 4 22/01/2020 Identifying need and monitoring impact Welcome and cake Introductions

EWB Network 4 22/01/2020 Identifying need and monitoring impact Welcome and cake Introductions

EWB Network 4 22/01/2020 Identifying need and monitoring impact Welcome and cake Introductions Agenda 1. Feedback regarding action point 3 2. Few updates 3. Re-introduce the 8 Model Whole School Approach 4. Public Health BREAK AND NETWORK

324 views • 17 slides
Characterizing Network Cohesion Gonzalo Mateos Dept. of ECE and Goergen Institute for Data

Characterizing Network Cohesion Gonzalo Mateos Dept. of ECE and Goergen Institute for Data

Characterizing Network Cohesion Gonzalo Mateos Dept. of ECE and Goergen Institute for Data Science University of Rochester gmateosb@ece.rochester.edu http://www.ece.rochester.edu/~gmateosb/ February 25, 2020 Network Science Analytics

438 views • 32 slides
Characterizing spatio-temporal climate variability with complex network methods Reik V. Donner

Characterizing spatio-temporal climate variability with complex network methods Reik V. Donner

Characterizing spatio-temporal climate variability with complex network methods Reik V. Donner with Marc Wiedermann, Jonathan Donges, Alexander Radebach & others CITES 2017, Zvenigorod, 6 September 2017 How to infer information from climate

655 views • 33 slides
On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies

On Inferring and Characterizing On Inferring and Characterizing Internet Routing Policies Internet Routing Policies Feng Wang Lixin Gao Department of Electrical and Computer Engineering University of Massachusetts, Amherst MA 01002, USA 1

450 views • 18 slides
Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke

Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke

Tokyo Institute of Technology Identifying Impacts of Protocol and Internet Development on the Bitcoin Network Ryunosuke Nagayama, Ryohei Banno, Kazuyuki Shudo Tokyo Tech Blockchain A distributed ledger on P2P network A node generates a

439 views • 19 slides
Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity

Detecting and Detecting and Characterizing Heterogeneity Characterizing Heterogeneity (Biochemical or Conformational) (Biochemical or Conformational) by Cryo-EM by Cryo-EM Eva Nogales HHMI / UC Berkeley LBNL Seth Kostek Transcription

492 views • 34 slides
Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov

Identifying Suspicious Activities in Grid Network Traffic Fyodor Yarochkin, Vladimir Kropotov TWGRID/EGI What can be wrong in a cloud?! Agenda Methods Case Studies Lessons Learnt The DATA Raw Data (network packet captures)

408 views • 30 slides
Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Introduction Research Question Background Dataset Approach Results Conclusion Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests Bas Vlaszaty Bas.Vlaszaty@os3.nl Universiteit van Amsterdam

899 views • 89 slides
Supply Chain Network Models for Humanitarian Logistics: Identifying Synergies and Vulnerabilities

Supply Chain Network Models for Humanitarian Logistics: Identifying Synergies and Vulnerabilities

Motivation Literature Models Synergy Measure Vulnerability Analysis Numerical Examples Conclusions Supply Chain Network Models for Humanitarian Logistics: Identifying Synergies and Vulnerabilities Anna Nagurney John F. Smith Memorial

704 views • 59 slides
Detecting a Machine Failure in a Network, a.k.a. Vertex Identifying Codes Daniel W. Cranston

Detecting a Machine Failure in a Network, a.k.a. Vertex Identifying Codes Daniel W. Cranston

Detecting a Machine Failure in a Network, a.k.a. Vertex Identifying Codes Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu Joint with Gexin Yu Applications of Graph Theory Joint Math Meetings, San Francisco 13 January

1.35k views • 90 slides
GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network

GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network

GradientGraph Analytics: Identifying Small Yet High Impact Flows Using Zeek to Optimize Network Performance ZeekWeek 2019 Reservoir Labs Jordi Ros-Giralt, Sruthi Yellamraju, Peter Cullen, Troy Hanson, James Ezick, Alison Ryan, Erik Mogus,

424 views • 29 slides
Distributed Systems Peer-to-Peer Rik Sarkar James

Distributed Systems Peer-to-Peer Rik Sarkar James

Distributed Systems Peer-to-Peer Rik Sarkar James Cheney University of Edinburgh Spring 2014 Recap: p2p We studied properEes of p2p

340 views • 33 slides
NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian

NoSQL like There is No Tomorrow Khawaja Head of Engineering, NoSQL Swaminathan Sivasubramanian Swami GM, NoSQL @swami_79 @ksshams how can you build your own DynamoDB Scale service? @swami_79 @ksshams lets start with a story about a

1.27k views • 77 slides
Interpreting MRDS output: making sense of all the numbers ML Burt, CREEM, University of St Andrews

Interpreting MRDS output: making sense of all the numbers ML Burt, CREEM, University of St Andrews

Last updated 02/08/2019 Interpreting MRDS output: making sense of all the numbers ML Burt, CREEM, University of St Andrews (lb9@st-andrews.ac.uk) INTRODUCTION The mrds package (Laake et al . 2019) was written to allow the user to estimate

253 views • 10 slides
Botnets Some slides taken from David Choffnes, Northeastern

Botnets Some slides taken from David Choffnes, Northeastern

Botnets Some slides taken from David Choffnes, Northeastern https://www.justice.gov/usao-cdca/pr/justice-department- announces-court-authorized-efforts-map-and-disrupt-botnet- used-north

707 views • 32 slides
GNU Name System: 2019 Edition Christian Grothoff IETF 104 Developers of new name resolution

GNU Name System: 2019 Edition Christian Grothoff IETF 104 Developers of new name resolution

GNU Name System: 2019 Edition Christian Grothoff IETF 104 Developers of new name resolution systems that must work in existing contexts actually have no choice: they must use a Special-Use Domain Name to segregate a portion of the namespace

757 views • 41 slides
t = X t h t n d { ( ) } ( ) ( ) = = 0 R 2 S

t = X t h t n d { ( ) } ( ) ( ) = = 0 R 2 S

Outline Outline Single Degree of Freedom System Single Degree of Freedom System Nonstationary Nonstationary & Transient Responses & Transient Responses Examples Examples Double Fourier Transforms

351 views • 3 slides
Distributed Storage Systems part 1 Marko Vukoli Distributed Systems and Cloud Computing This

Distributed Storage Systems part 1 Marko Vukoli Distributed Systems and Cloud Computing This

Distributed Storage Systems part 1 Marko Vukoli Distributed Systems and Cloud Computing This part of the course (5 slots) Distributed Storage Systems CAP theorem and Amazon Dynamo Apache Cassandra Distributed Systems

767 views • 52 slides
Querying Big, Dynamic, Distributed Data Minos Garofalakis Technical University of Crete

Querying Big, Dynamic, Distributed Data Minos Garofalakis Technical University of Crete

Querying Big, Dynamic, Distributed Data Minos Garofalakis Technical University of Crete Software Technology and Network Applications Lab LIFT Cast: Antonios Deligiannakis, Vasilis Samoladas, Odysseas Papapetrou, Nikos Giatrakos (TUC); Daniel

491 views • 32 slides

More recommend