Detecting traffic snooping in tor using decoys

Sambuddho Chakravarty, Georgios Portokalidis, Michalis Polychronakis, Angelos D. Keromytis

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

19 Scopus citations

Abstract

Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.

Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings
Pages222-241
Number of pages20
DOIs
StatePublished - 2011
Event14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011 - Menlo Park, CA, United States
Duration: 20 Sep 201121 Sep 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6961 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011
Country/TerritoryUnited States
CityMenlo Park, CA
Period20/09/1121/09/11

Fingerprint

Dive into the research topics of 'Detecting traffic snooping in tor using decoys'. Together they form a unique fingerprint.

Cite this