TY - GEN
T1 - Detecting traffic snooping in tor using decoys
AU - Chakravarty, Sambuddho
AU - Portokalidis, Georgios
AU - Polychronakis, Michalis
AU - Keromytis, Angelos D.
PY - 2011
Y1 - 2011
N2 - Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.
AB - Anonymous communication networks like Tor partially protect the confidentiality of their users' traffic by encrypting all intra-overlay communication. However, when the relayed traffic reaches the boundaries of the overlay network towards its actual destination, the original user traffic is inevitably exposed. At this point, unless end-to-end encryption is used, sensitive user data can be snooped by a malicious or compromised exit node, or by any other rogue network entity on the path towards the actual destination. We explore the use of decoy traffic for the detection of traffic interception on anonymous proxying systems. Our approach is based on the injection of traffic that exposes bait credentials for decoy services that require user authentication. Our aim is to entice prospective eavesdroppers to access decoy accounts on servers under our control using the intercepted credentials. We have deployed our prototype implementation in the Tor network using decoy IMAP and SMTP servers. During the course of ten months, our system detected ten cases of traffic interception that involved ten different Tor exit nodes. We provide a detailed analysis of the detected incidents, discuss potential improvements to our system, and outline how our approach can be extended for the detection of HTTP session hijacking attacks.
UR - http://www.scopus.com/inward/record.url?scp=84857297875&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84857297875&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-23644-0_12
DO - 10.1007/978-3-642-23644-0_12
M3 - Conference contribution
AN - SCOPUS:84857297875
SN - 9783642236433
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 222
EP - 241
BT - Recent Advances in Intrusion Detection - 14th International Symposium, RAID 2011, Proceedings
T2 - 14th International Symposium on Recent Advances in Intrusion Detection Systems, RAID 2011
Y2 - 20 September 2011 through 21 September 2011
ER -