ABSTRACT
The website fingerprinting attack aims to infer the content of encrypted and anonymized connections by analyzing traffic patterns such as packet sizes, their order, and direction. Although it has been shown that no existing fingerprinting method scales in Tor when applied in realistic settings, the case of Tor hidden (onion) services has not yet been considered in such scenarios. Recent works claim the feasibility of the attack in the context of hidden services using limited datasets.
In this work, we propose a novel two-phase approach for fingerprinting hidden services that does not rely on malicious Tor nodes. In our attack, the adversary merely needs to be on the link between the client and the first anonymization node. In the first phase, we detect a connection to a hidden service. Once a hidden service communication is detected, we determine the visited hidden service (phase two) within the hidden service universe. To estimate the scalability of our and other existing methods, we constructed the most extensive and realistic dataset of existing hidden services. Using this dataset, we show the feasibility of phase one of the attack and establish that phase two does not scale using existing classifiers. We present a comprehensive comparison of the performance and limits of the state-of-the-art website fingerprinting attacks with respect to Tor hidden services.
- 2014. Better, fairer circuit OOM handling. https://trac.torproject.org/projects/tor/ticket/9093. (2014).Google Scholar
- 2014. Thoughts and Concerns about Operation Onymous. https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous. (2014).Google Scholar
- 2015. Getting the HSDir flag should require the Stable flag. https://github.com/DonnchaC/torspec/blob/master/proposals/243-hsdir-flag-need-stable.txt. (2015).Google Scholar
- 2015. Load Balancing/High Availability Hidden Services. http://archives.seul.org/or/talk/Mar-2015/msg00218.html. (2015).Google Scholar
- 2015. Possible Solutions for Increasing the Capacity of a Hidden Service. https://lists.torproject.org/pipermail/tor-talk/2015-March/037173.html. (2015).Google Scholar
- 2017. Tor Rendezvous Specification. https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt. (2017).Google Scholar
- Alex Biryukov, Ivan Pustogarov, Fabrice Thill, and Ralf-Philipp Weinmann. 2014. Content and Popularity Analysis of Tor Hidden Services. In 34th International Conference on Distributed Computing Systems Workshops. IEEE, Madrid, Spain, 188--193. Google ScholarDigital Library
- Alex Biryukov, Ivan Pustogarov, and Ralf-Philipp Weinmann. 2013. Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization. In Symposium on Security and Privacy (S&P). IEEE, Berkeley, CA, USA, 80--94.Google ScholarDigital Library
- Xiang Cai, Xin Cheng Zhang, Brijesh Joshi, and Rob Johnson. 2012. Touching from a distance: website fingerprinting attacks and defenses. In ACM conference on Computer and communications security (CCS). ACM, Raleigh, NC, USA, 605--616. Google ScholarDigital Library
- Chih-Chung Chang and Chih-Jen Lin. 2011. LIBSVM: A library for support vector machines. ACM Transactions on Intelligent Systems and Technology 2 (April 2011). Issue 3. Available: http://www.csie.ntu.edu.tw/~cjlin/libsvm.Google ScholarDigital Library
- Roger Dingledine and Nick Mathewson. 2017. Tor directory protocol, Version 3. https://gitweb.torproject.org/torspec.git/tree/dir-spec.txt. (2017).Google Scholar
- Roger Dingledine and Nick Mathewson. 2017. Tor Protocol Specification. https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=tor-spec.txt. (2017).Google Scholar
- Roger Dingledine, Nick Mathewson, and Paul Syverson. 2004. Tor: The Second-generation Onion Router. In 13th conference on USENIX Security Symposium. USENIX Association.Google ScholarCross Ref
- Kevin P. Dyer, Scott E. Coull, Thomas Ristenpart, and Thomas Shrimpton. 2012. Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In Symposium on Security and Privacy (S&P). IEEE, San Francisco, CA, USA, 332--346.Google ScholarDigital Library
- Rafael Gálvez, Marc Juarez, and Claudia Diaz. 2016. Profiling Tor Users with Unsupervised Learning Techniques. In International Workshop on Inference and Privacy in a Hyperconnected World (INFER). DE GRUYTER, Darmstadt, Germany.Google Scholar
- Jamie Hayes and George Danezis. 2016. k-fingerprinting: a Robust Scalable Website Fingerprinting Technique. In 25th USENIX Security Symposium. USENIX Association, Austin, TX, 1187--1204.Google Scholar
- Dominik Herrmann, Rolf Wendolsky, and Hannes Federrath. 2009. Website Fingerprinting: Attacking Popular Privacy Enhancing Technologies with the Multinomial Naïve-Bayes Classifier. In ACM workshop on Cloud computing security. ACM, Chicago, IL, USA, 31--42. Google ScholarDigital Library
- Rob Jansen, Florian Tschorsch, Aaron Johnson, and Bjorn Scheuermann. 2014. The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network. In 21st Internet Society (ISOC) Network and Distributed System Security Symposium (NDSS). Internet Society, San Diego, CA, USA.Google Scholar
- Marc Juarez, Sadia Afroz, Gunes Acar, Claudia Diaz, and Rachel Greenstadt. 2014. A Critical Evaluation of Website Fingerprinting Attacks. In 21st ACM Conference on Computer and Communications Security (CCS). ACM, Scottsdale, Arizona, USA, 263--274. Google ScholarDigital Library
- Albert Kwon, Mashael AlSabah, David Lazar, Marc Dacier, and Srinivas Devadas. 2015. Circuit Fingerprinting Attacks: Passive Deanonymization of Tor Hidden Services. In 24th USENIX Security Symposium. USENIX Association, Washington, D.C., 287--302.Google Scholar
- Nick Mathewson. 2015. Next-Generation Hidden Services in Tor. https://gitweb.torproject.org/torspec.git/tree/proposals/224-rend-spec-ng.txt. (2015).Google Scholar
- Srdjan Matic, Platon Kotzias, and Juan Caballero. 2015. Caronte: Detecting Location Leaks for Deanonymizing Tor Hidden Services. In 22nd ACM SIGSAC conference on Computer and communications security (CCS). ACM, Denver, Colorado, USA, 1455--1466. Google ScholarDigital Library
- Asya Mitseva, Andriy Panchenko, Fabian Lanze, Martin Henze, Klaus Wehrle, and Thomas Engel. 2016. POSTER: Fingerprinting Tor Hidden Services. In ACM SIGSAC Conference on Computer and Communications Security (CCS). ACM, Vienna, Austria, 1766--1768. Google ScholarDigital Library
- Steven Murdoch. 2006. Hot or not: Revealing hidden services by their clock skew. In ACM Conference on Computer and Communications Security (CCS). ACM, Alexandria, VA, USA, 27--36. Google ScholarDigital Library
- Juha Nurmi. 2015. Warning: 255 fake and booby trapped onion sites. (2015). https://lists.torproject.org/pipermail/tor-talk/2015-July/038318.htmlGoogle Scholar
- Donncha O'Cearbhaill. 2017. OnionBalance. https://onionbalance.readthedocs.org/en/latest/. (2017).Google Scholar
- Lasse Øverlier and Paul Syverson. 2006. Locating Hidden Servers. In Symposium on Security and Privacy (S&P). IEEE, Oakland, CA, USA, 99--114. Google ScholarDigital Library
- Andriy Panchenko, Fabian Lanze, Andreas Zinnen, Martin Henze, Jan Pennekamp, Klaus Wehrle, and Thomas Engel. 2016. Website Fingerprinting at Internet Scale. In the 23rd Internet Society (ISOC) Network and Distributed System Security Symposium (NDSS). Internet Society, San Diego, CA, USA. Google ScholarCross Ref
- Andriy Panchenko, Lukas Niessen, Andreas Zinnen, and Thomas Engel. 2011. Website Fingerprinting in Onion Routing Based Anonymization Networks. In 10th ACM Computer and Communications Security Workshop on Privacy in the Electronic Society. ACM, Chicago, Illinois, USA, 103--114. Google ScholarDigital Library
- Mike Perry. 2015. Notes and Action Items from Hidden Service Fingerprinting Session. https://lists.torproject.org/pipermail/tor-dev/2015-October/009632.html. (2015).Google Scholar
- Sandeep Tata and Jignesh M. Patel. 2007. Estimating the Selectivity of tf-idf Based Cosine Similarity Predicates. Newsletter ACM SIGMOD Record 36 (June 2007), 7--12. Issue 2.Google Scholar
- Tao Wang, Xiang Cai, Rishab Nithyanand, Rob Johnson, and Ian Goldberg. 2014. Effective Attacks and Provable Defenses for Website Fingerprinting. In 23rd USENIX conference on Security Symposium. USENIX Association, 1--15.Google Scholar
- Tao Wang and Ian Goldberg. 2013. Improved website fingerprinting on Tor. In 12th ACM Computer and Communications Security Workshop on Privacy in the Electronic Society. ACM, Berlin, Germany, 201--212. Google ScholarDigital Library
- Tao Wang and Ian Goldberg. 2016. On Realistically Attacking Tor with Website Fingerprinting. In Privacy Enhancing Technologies (PETS). DE GRUYTER, Darmstadt, Germany, 21--36. Google ScholarCross Ref
- Chih wei Hsu, Chih-Chung Chang, and Chih-Jen Lin. 2010. A Practical Guide to Support Vector Classification. http://www.csie.ntu.edu.tw/~cjlin/papers/guide/guide.pdf. (2010).Google Scholar
- Matthew Wright, Micah Adler, Brian Levine, and Clay Shields. 2003. Defending Anonymous Communication Against Passive Logging Attacks. In Symposium on Security and Privacy (S&P). IEEE, Oakland, CA, USA, 28--43. Google ScholarCross Ref
- Sebastian Zander and Steven Murdoch. 2008. An Improved Clock-skew Measurement Technique for Revealing Hidden Services. In 17th conference on USENIX Security symposium. USENIX Association, Berkeley, CA, USA, 211--225.Google Scholar
Index Terms
- Analysis of Fingerprinting Techniques for Tor Hidden Services
Recommendations
TrafficSliver: Fighting Website Fingerprinting Attacks with Traffic Splitting
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications SecurityWebsite fingerprinting (WFP) aims to infer information about the content of encrypted and anonymized connections by observing patterns of data flows based on the size and direction of packets. By collecting traffic traces at a malicious Tor entry node --...
Deep Fingerprinting: Undermining Website Fingerprinting Defenses with Deep Learning
CCS '18: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications SecurityWebsite fingerprinting enables a local eavesdropper to determine which websites a user is visiting over an encrypted connection. State-of-the-art website fingerprinting attacks have been shown to be effective even against Tor. Recently, lightweight ...
Website fingerprinting in onion routing based anonymization networks
WPES '11: Proceedings of the 10th annual ACM workshop on Privacy in the electronic societyLow-latency anonymization networks such as Tor and JAP claim to hide the recipient and the content of communications from a local observer, i.e., an entity that can eavesdrop the traffic between the user and the first anonymization node. Especially ...
Comments