spoiled onions exposing malicious tor exit relays
play

Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, - PowerPoint PPT Presentation

Dec 03, 2022 •204 likes •521 views

Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard K ower, Martin Mulazzani , Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, Edgar Weippl Outline This talk is about: Detecting malicious Tor exit relays

  1. Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard K¨ ower, Martin Mulazzani , Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, Edgar Weippl

  2. Outline This talk is about: ◮ Detecting malicious Tor exit relays ◮ Two new exit relay scanners: exitmap and HoneyConnector ◮ Several months runtime on the Tor network ◮ Identified 65 spoiled onions

  3. Problem Description We define a malicious relay to: ◮ injects or modifys HTML ◮ conducts MitM (TLS & SSH, ...) ◮ modifies DNS responses ◮ credentials reusage (FTP, IMAP, SMTP) Our solution: ◮ lightweight and modular exit scanners ◮ focus: opportunity, impact and history ◮ open source

  4. Problem Description We define a malicious relay to: ◮ injects or modifys HTML ◮ conducts MitM (TLS & SSH, ...) ◮ modifies DNS responses ◮ credentials reusage (FTP, IMAP, SMTP) Our solution: ◮ lightweight and modular exit scanners ◮ focus: opportunity, impact and history ◮ open source

  5. Related Work Previous work: ◮ PETS 2008, ”Shining light into dark places“: 1 relay ◮ RAID 2011, ”Detecting Traffic Snooping in Tor Using Decoys“: 10 relays ◮ “Snakes on a Tor” (Mike Perry), “tortunnel” (Moxie Marlinspike), numerous others However, so far: ◮ Tor network (and the world) has changed since 2011 ◮ no systematic framework to detect active attacks

  6. Related Work Previous work: ◮ PETS 2008, ”Shining light into dark places“: 1 relay ◮ RAID 2011, ”Detecting Traffic Snooping in Tor Using Decoys“: 10 relays ◮ “Snakes on a Tor” (Mike Perry), “tortunnel” (Moxie Marlinspike), numerous others However, so far: ◮ Tor network (and the world) has changed since 2011 ◮ no systematic framework to detect active attacks

  7. exitmap Design of exitmap : Implemented modules: ◮ detect MitM attacks ◮ HTTPS, SSH, XMPP, IMAPS, DNS, sslstrip ◮ two-hop Tor circuits ◮ Python & Stem library ◮ asynchronous & event-driven "Spoiled" exit doing MitM Tor network exitmap Destination Static relay Exit relays

  8. exitmap Design of exitmap : Implemented modules: ◮ detect MitM attacks ◮ HTTPS, SSH, XMPP, IMAPS, DNS, sslstrip ◮ two-hop Tor circuits ◮ Python & Stem library ◮ asynchronous & event-driven "Spoiled" exit doing MitM Tor network exitmap Destination Static relay Exit relays

  9. Performance exitmap Really fast! ◮ can be configured to spread over time ◮ on average: 84%-88% of circuits suceeded ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 0.8 ● ● Empirical CDF ● ● ● ● ● ● ● ● ● ● ● ● ● SSH ● 0.4 ● ● ● ● HTTPS ● ● ● ● ● ● sslstrip ● ● ● ● DNS ● ● 0.0 ● ● 0 10 30 50 Time (seconds)

  10. exitmap scans Evaluation: ◮ September 2013, running 7 months ◮ several scans per week Detected 40 malicious relays: ◮ mostly HTTPS MitM (18) ◮ some additionally SSH MitM (5) ◮ many sslstrip (9) ◮ some DNS modifications: ◮ DNS censorship (4) in Hong Kong, Malaysia and Turkey ◮ OpenDNS (4)

  11. HoneyConnector Design: ◮ unique credentials per relay and connection ◮ full connections ◮ dummy content ◮ log inspection for reconnections Implemented modules: ◮ FTP (pyFTPdlib) ◮ IMAP (Dovecot)

  12. HoneyConnector scans Evaluation: ◮ October 2013, running 4 months ◮ popular hosting providers ◮ one each for FTP and IMAP ◮ 54.000 bait connections Detected 27 malicious relays: ◮ 255 login attempts, with 128 sniffed credentials ◮ credentials reused: 97 (FTP), 31 (IMAP) ◮ many reconnection attempts in bulks

  13. HoneyConnector scans Evaluation: ◮ October 2013, running 4 months ◮ popular hosting providers ◮ one each for FTP and IMAP ◮ 54.000 bait connections Detected 27 malicious relays: ◮ 255 login attempts, with 128 sniffed credentials ◮ credentials reused: 97 (FTP), 31 (IMAP) ◮ many reconnection attempts in bulks

  14. Timely distribution Timely distribution of login attempts:

  15. Reconnection attempts Details of login attempts: ◮ majority (57%, or 145) used Tor ◮ 18% (45) came from the same IP as exit relay ◮ 16% (41) used Mail2Web ◮ 9% (22) used IP from consumer lines, UMTS or hosting providers Software used for some cases: ◮ Firefox and Internet Explorer for FTP (mozilla@example.com) ◮ Thunderbird for IMAP (autoconf XML file)

  16. Reconnection attempts Details of login attempts: ◮ majority (57%, or 145) used Tor ◮ 18% (45) came from the same IP as exit relay ◮ 16% (41) used Mail2Web ◮ 9% (22) used IP from consumer lines, UMTS or hosting providers Software used for some cases: ◮ Firefox and Internet Explorer for FTP (mozilla@example.com) ◮ Thunderbird for IMAP (autoconf XML file)

  17. Fun facts Using credentials is harder than it seems, for 12% (31): ◮ copy-paste errors ◮ manual typos (username, passwords) ◮ IMAP credentials for FTP, and vice-versa ◮ mixing passwords for usernames ◮ one completely unrelated password ◮ pasting connection URL in wrong browser (Chrome vs. TBB)

  18. Groups of relays Multiple relays worked in groups: ◮ relay operators can cooperate ◮ multiple relays per operator ◮ 3 different groups identified Russian nodes, HTTPS MitM: ◮ 20 relays ◮ same, self-signed certificate ◮ all but one relay located in Russia ◮ one VPS provider / netblock ◮ rather high bandwidth (up to 7 MB/s)

  19. Groups of relays Multiple relays worked in groups: ◮ relay operators can cooperate ◮ multiple relays per operator ◮ 3 different groups identified Russian nodes, HTTPS MitM: ◮ 20 relays ◮ same, self-signed certificate ◮ all but one relay located in Russia ◮ one VPS provider / netblock ◮ rather high bandwidth (up to 7 MB/s)

  20. Groups of relays Indian relays: ◮ 7 relays ◮ distinguishable reconnect patterns ◮ same ISP, new IP every 6 hours ◮ low bandwidth (50-80 KB/s) International group: ◮ 5 relays ◮ sniffed credentials tested in batches ◮ medium bandwidth (2-3 MB/s)

  21. Groups of relays Indian relays: ◮ 7 relays ◮ distinguishable reconnect patterns ◮ same ISP, new IP every 6 hours ◮ low bandwidth (50-80 KB/s) International group: ◮ 5 relays ◮ sniffed credentials tested in batches ◮ medium bandwidth (2-3 MB/s)

  22. Discussion Spoiled onions: ◮ two nodes were found using both scanners ◮ overall: diverse set of attacks ◮ protection: ◮ end-to-end encryption ◮ user education ◮ pinning, HSTS, DANE Effects on Tor users: ◮ propability to use malicious relay is tricky to calculate ◮ influenced by churn rate and bandwidth ◮ in total 6835 exit relays ◮ around 2700 < = 50 hours or less

  23. Discussion Spoiled onions: ◮ two nodes were found using both scanners ◮ overall: diverse set of attacks ◮ protection: ◮ end-to-end encryption ◮ user education ◮ pinning, HSTS, DANE Effects on Tor users: ◮ propability to use malicious relay is tricky to calculate ◮ influenced by churn rate and bandwidth ◮ in total 6835 exit relays ◮ around 2700 < = 50 hours or less

  24. Firefox Extension HTTPS MitM protection: ◮ self-signed certificates ◮ fetches certificate over second Tor circuit ◮ triggered on about:certerror Does not protect against: ◮ malicious (and trusted) CA ◮ large number of relays/bandwidth

  25. Limitations ◮ not all HTTPS connections targeted (sampling)! ◮ performance vs. detectability? ◮ attacker may be upstream? ◮ only snapshot in time

  26. Aftermath ◮ notified Tor ◮ (reproduction of attacks) ◮ BadExit flag assigned ◮ as of yesterday: ◮ one relay still in consensus, with BadExit

  27. Conclusions To conclude: ◮ get the source here: http://www.cs.kau.se/philwint/spoiled_onions ◮ run your own scans ◮ identified 65 spoiled onions , maybe more?

  28. Thank you for your time! Questions? mmulazzani@sba-research.org

  29. Full table exitmap

  30. Full table exitmap

  31. Full table HoneyConnector

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1. Using Onions 1.1. Peeling Onions 1.2. Cutting Onions 1.3. Frying Onions 2. Using

1. Using Onions 1.1. Peeling Onions 1.2. Cutting Onions 1.3. Frying Onions 2. Using

1. Using Onions 1.1. Peeling Onions 1.2. Cutting Onions 1.3. Frying Onions 2. Using Eggs 2.1. Breaking Eggs 2.2. Mixing Eggs with Milk 2.3. Frying Eggs 1. Using Onions 1. Making an Onion Omelette 1.1. Peeling Onions 1.1. Setting

750 views • 28 slides
Zelio Relay - plug-in relays RSB interface relays characteristics 5 Presentation of the range

Zelio Relay - plug-in relays RSB interface relays characteristics 5 Presentation of the range

Presentation, Zelio Relay - plug-in relays RSB interface relays characteristics 5 Presentation of the range 523139 The RSB interface relay range comprises: 2 1 1 12 A relays with 1 C/O contact , 16 A relays with 1 C/O contact and 8 A relays

597 views • 4 slides
Peeling Onions Understanding and using the network hiro@torproject.org Know your

Peeling Onions Understanding and using the network hiro@torproject.org Know your

Peeling Onions Understanding and using the network hiro@torproject.org Know your onions What is Tor and what it can do for you. How Tor provides privacy and anonymity Using Tor at the application layer: the Tor browser. Onion

666 views • 32 slides
EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp;

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp;

EXPOSING EXPOSING A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE A FLEXIBLE, COMPOSABLE &amp; EXTENSIBLE REST API REST API Thierry Delprat td@nuxeo.com https://github.com/tiry/ AGENDA AGENDA Quick introduction provide some context API design

1.37k views • 75 slides
1 Zelio Logic smart relays 1 Compact and modular smart relays Presentation 109446 109446 Zelio

1 Zelio Logic smart relays 1 Compact and modular smart relays Presentation 109446 109446 Zelio

Presentation 1 Zelio Logic smart relays 1 Compact and modular smart relays Presentation 109446 109446 Zelio Logic smart relays are designed for use in small automated systems. They are 1 used in both the industrial and commercial sectors. b

611 views • 26 slides
Timestamp /16 at LBL, sampled 1-in-1K 2nd /16, sampled 1-in-1K Number of relays 8000 6000

Timestamp /16 at LBL, sampled 1-in-1K 2nd /16, sampled 1-in-1K Number of relays 8000 6000

Timestamp /16 at LBL, sampled 1-in-1K 2nd /16, sampled 1-in-1K Number of relays 8000 6000 Relays 4000 Bridges 2000 0 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 The Tor Project https://metrics.torproject.org/ Directly

369 views • 24 slides
1 Product Range Products 2 summary summary summary summary Relays with 8 and 11-Pins

1 Product Range Products 2 summary summary summary summary Relays with 8 and 11-Pins

1 Product Range Products 2 summary summary summary summary Relays with 8 and 11-Pins Timers with 8 and 11-Pins Power relays with 3 pole, 16A Industrial relays with 4 pole, 10A Miniature relays with 2 and 4 pole

1.08k views • 25 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Solid-state and Mechanical Relays Jordan Blake Overview Basic Function Types of Relays

Solid-state and Mechanical Relays Jordan Blake Overview Basic Function Types of Relays

Solid-state and Mechanical Relays Jordan Blake Overview Basic Function Types of Relays Mechanical Solid state Design Considerations Reading the Datasheet Common Uses Basic Function Electrically controlled

376 views • 16 slides
You Cant Fix by Analysis What Youve Spoiled by Design! Anthony R. Artino, Jr., Ph.D.

You Cant Fix by Analysis What Youve Spoiled by Design! Anthony R. Artino, Jr., Ph.D.

Developing Questionnaires for Educational Research: You Cant Fix by Analysis What Youve Spoiled by Design! Anthony R. Artino, Jr., Ph.D. Professor, Division of Health Professions Education Uniformed Services University of the Health

749 views • 43 slides
PLATILLOS DEL MAR Jalapeno Infused Bacon Wrapped Scallops Jumbo hand dived sea scallops from

PLATILLOS DEL MAR Jalapeno Infused Bacon Wrapped Scallops Jumbo hand dived sea scallops from

562-343-5506 lolasmexicancuisine.com 2030 East 4th street long beach ca Lolas Guacamole Tinga Tostaditas Fresh ripe California Hass avocado, tomatoes, Pulled chicken simmered with chipotle, sweet onions, and cilantro, onions, salt, and

305 views • 4 slides
I-293 EXIT 6 &amp; 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 &amp; 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION

I-293 EXIT 6 &amp; 7 (PART B) Technical Advisory Committee (TAC) July 11, 2017 ITS DECISION TIME! WE NEED TO SETTLE ON A PROPOSED ACTION Follow-up from June 7 th Public Informational Meeting EXIT 7 Exit 7 Relocated Interchange EXIT 6

253 views • 23 slides
I. Defining Prejudice Prejudice is the spoiled fruit that grows from the cognitive vine. It

I. Defining Prejudice Prejudice is the spoiled fruit that grows from the cognitive vine. It

I. Defining Prejudice Prejudice is the spoiled fruit that grows from the cognitive vine. It sprouts from a Prejudice kernel of truth among the weeds of Blaine Ch. 4 distortion. It is fertilized by existential fear and the drive for self

486 views • 3 slides
Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and

Exit of Business Need for Exit: Entrepreneurs make a lots of efforts to create a business and make it grow. But they often neglect the need for Exit Planning in their Business. In absence of Exit Strategy, they often forget that the decisions

247 views • 11 slides
Metagenomic analysis of spoiled potato and tomato and the use of the dominant bacterial species in

Metagenomic analysis of spoiled potato and tomato and the use of the dominant bacterial species in

Metagenomic analysis of spoiled potato and tomato and the use of the dominant bacterial species in plant growth studies Khaya Ntushelo Department of Agriculture and Animal Health, University of South Africa, Science Campus, Florida, 1710, South

451 views • 29 slides
Pipeline Safety Regulation Skagit Countys Experience Grant Recipient In October 2010:

Pipeline Safety Regulation Skagit Countys Experience Grant Recipient In October 2010:

Pipeline Safety Regulation Skagit Countys Experience Grant Recipient In October 2010: $49,667 Technical Assistance Grant from the USDOT Pipeline and Hazardous Materials Safety Administration to develop regulations regarding

537 views • 17 slides
DCCVB Financial Partners In Kind &amp; Event Sponsors Mission Statement To generate economic

DCCVB Financial Partners In Kind &amp; Event Sponsors Mission Statement To generate economic

DCCVB Financial Partners In Kind &amp; Event Sponsors Mission Statement To generate economic impact and promote DeKalb County as a premier destination for business and leisure travel. DCCVB Board &amp; Staff 2016-2017 DCCVB BOARD MEMBERS

520 views • 21 slides
Antitrust Risks in E-Commerce Pricing and Distribution Avoiding RPM, MFN and IMAP Pitfalls With

Antitrust Risks in E-Commerce Pricing and Distribution Avoiding RPM, MFN and IMAP Pitfalls With

Presenting a live 90-minute webinar with interactive Q&amp;A Antitrust Risks in E-Commerce Pricing and Distribution Avoiding RPM, MFN and IMAP Pitfalls With Online Sales TUESDAY, MARCH 24, 2015 1pm Eastern | 12pm Central | 11am

914 views • 59 slides
Information System (SEIS) principles and practices in the ENP South region ENI SEIS South Support

Information System (SEIS) principles and practices in the ENP South region ENI SEIS South Support

Mediterranean Action Plan Coordinating Unit Barcelona Convention Secretariat Implementation of the Shared Environmental Information System (SEIS) principles and practices in the ENP South region ENI SEIS South Support Mechanism (2016-2019)

4.35k views • 18 slides
Office of Human Resources Administrative Recruiting Plan 2011-2012 AISD STRATEGIC PLAN: STRATEGY

Office of Human Resources Administrative Recruiting Plan 2011-2012 AISD STRATEGIC PLAN: STRATEGY

THE AUSTIN INDEPENDENT SCHOOL DISTRICT Office of Human Resources Administrative Recruiting Plan 2011-2012 AISD STRATEGIC PLAN: STRATEGY 3 Ensure that every classroom has a high-quality, diverse and effective teacher, supported by high-quality,

762 views • 32 slides
Data-Driven Decision Making at MTA Leah Visakowitz GIS Analyst MTA, Office of Planning and

Data-Driven Decision Making at MTA Leah Visakowitz GIS Analyst MTA, Office of Planning and

Data-Driven Decision Making at MTA Leah Visakowitz GIS Analyst MTA, Office of Planning and Programming 1 Current/Recent Efforts Improved bus tracking GPS data for service planning Capital projects investment North Avenue

878 views • 11 slides
S a l t A n s i b l e ? P a b l o S u r e z H e r n n d e z S

S a l t A n s i b l e ? P a b l o S u r e z H e r n n d e z S

S a l t A n s i b l e ? P a b l o S u r e z H e r n n d e z S U S E M a n a g e r - S a l t p s u a r e z h e r n a n d e z @s u s e . c o m We a r e S U S E . .

703 views • 31 slides
Falcongaze SecureTower About Falcongaze Who we are Falcongaze Company was founded in 2007 We

Falcongaze SecureTower About Falcongaze Who we are Falcongaze Company was founded in 2007 We

Falcongaze SecureTower About Falcongaze Who we are Falcongaze Company was founded in 2007 We are on the DLP market since 2010 6 offices in Russia and Belarus The company has grown from 3 to 100+ employees Over 700 commercial implementations

728 views • 15 slides

More recommend