One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and   Profile Tor Users

Stevens Le Blond (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes); Pere; Manils (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes); Chaabane Abdelberi; (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes); Mohamed Ali Dali Kaafar; (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes); Claude Castelluccia (INRIA; Sophia Antipolis / INRIA Rh\^one-Alpes); Arnaud Legout (INRIA Sophia; Antipolis / INRIA Rh\^one-Alpes); Walid Dabbous (INRIA Sophia Antipolis /; INRIA Rh\^one-Alpes)

arXiv:1103.1518·cs.NI·March 9, 2011·49 cites

One Bad Apple Spoils the Bunch: Exploiting P2P Applications to Trace and Profile Tor Users

Stevens Le Blond (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes), Pere, Manils (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes), Chaabane Abdelberi, (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes), Mohamed Ali Dali Kaafar, (INRIA Sophia Antipolis / INRIA Rh\^one-Alpes)

PDF

Open Access

TL;DR

This paper demonstrates how linkability in Tor can be exploited to trace and profile users, revealing thousands of IPs and exposing behaviors, especially related to BitTorrent usage, over a 23-day period.

Contribution

It introduces practical attacks exploiting linkability in Tor to trace insecure applications like BitTorrent, revealing user IPs and behaviors in real-world scenarios.

Findings

01

Linkability allows tracing 193% more streams, including 27% from 'secure' browsers.

02

Successfully traced 9% of Tor streams via exit nodes.

03

Identified over 10,000 user IPs and analyzed their content and geographic distribution.

Abstract

Tor is a popular low-latency anonymity network. However, Tor does not protect against the exploitation of an insecure application to reveal the IP address of, or trace, a TCP stream. In addition, because of the linkability of Tor streams sent together over a single circuit, tracing one stream sent over a circuit traces them all. Surprisingly, it is unknown whether this linkability allows in practice to trace a significant number of streams originating from secure (i.e., proxied) applications. In this paper, we show that linkability allows us to trace 193% of additional streams, including 27% of HTTP streams possibly originating from "secure" browsers. In particular, we traced 9% of Tor streams carried by our instrumented exit nodes. Using BitTorrent as the insecure application, we design two attacks tracing BitTorrent users on Tor. We run these attacks in the wild for 23 days and reveal…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsInternet Traffic Analysis and Secure E-voting · Spam and Phishing Detection · Network Security and Intrusion Detection