Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Spoiled Onions:
Exposing Malicious Tor Exit Relays
Philipp Winter, Richard K¨ower, Martin Mulazzani, Markus
Huber, Sebasti...
Outline
This talk is about:
Detecting malicious Tor exit relays
Two new exit relay scanners: exitmap and HoneyConnector
Se...
Problem Description
We define a malicious relay to:
injects or modifys HTML
conducts MitM (TLS & SSH, ...)
modifies DNS resp...
Problem Description
We define a malicious relay to:
injects or modifys HTML
conducts MitM (TLS & SSH, ...)
modifies DNS resp...
Related Work
Previous work:
PETS 2008, ”Shining light into dark places“: 1 relay
RAID 2011, ”Detecting Traffic Snooping in T...
Related Work
Previous work:
PETS 2008, ”Shining light into dark places“: 1 relay
RAID 2011, ”Detecting Traffic Snooping in T...
exitmap
Design of exitmap:
detect MitM attacks
two-hop Tor circuits
asynchronous &
event-driven
Implemented modules:
HTTPS...
exitmap
Design of exitmap:
detect MitM attacks
two-hop Tor circuits
asynchronous &
event-driven
Implemented modules:
HTTPS...
Performance exitmap
Really fast!
can be configured to spread over time
on average: 84%-88% of circuits suceeded
0 10 30 50
...
exitmap scans
Evaluation:
September 2013, running 7 months
several scans per week
Detected 40 malicious relays:
mostly HTT...
HoneyConnector
Design:
unique credentials per relay and connection
full connections
dummy content
log inspection for recon...
HoneyConnector scans
Evaluation:
October 2013, running 4 months
popular hosting providers
one each for FTP and IMAP
54.000...
HoneyConnector scans
Evaluation:
October 2013, running 4 months
popular hosting providers
one each for FTP and IMAP
54.000...
Timely distribution
Timely distribution of login attempts:
Reconnection attempts
Details of login attempts:
majority (57%, or 145) used Tor
18% (45) came from the same IP as exit re...
Reconnection attempts
Details of login attempts:
majority (57%, or 145) used Tor
18% (45) came from the same IP as exit re...
Fun facts
Using credentials is harder than it seems, for 12% (31):
copy-paste errors
manual typos (username, passwords)
IM...
Groups of relays
Multiple relays worked in groups:
relay operators can cooperate
multiple relays per operator
3 different g...
Groups of relays
Multiple relays worked in groups:
relay operators can cooperate
multiple relays per operator
3 different g...
Groups of relays
Indian relays:
7 relays
distinguishable reconnect patterns
same ISP, new IP every 6 hours
low bandwidth (...
Groups of relays
Indian relays:
7 relays
distinguishable reconnect patterns
same ISP, new IP every 6 hours
low bandwidth (...
Discussion
Spoiled onions:
two nodes were found using both scanners
overall: diverse set of attacks
protection:
end-to-end...
Discussion
Spoiled onions:
two nodes were found using both scanners
overall: diverse set of attacks
protection:
end-to-end...
Firefox Extension
HTTPS MitM protection:
self-signed certificates
fetches certificate over second Tor circuit
triggered on a...
Limitations
not all HTTPS connections targeted (sampling)!
performance vs. detectability?
attacker may be upstream?
only s...
Aftermath
notified Tor
(reproduction of attacks)
BadExit flag assigned
as of yesterday:
one relay still in consensus, with B...
Conclusions
To conclude:
get the source here:
http://www.cs.kau.se/philwint/spoiled_onions
run your own scans
identified 65...
Thank you for your time!
Questions?
mmulazzani@sba-research.org
Full table exitmap
Full table exitmap
Full table HoneyConnector
Upcoming SlideShare
Loading in …5
×

Spoiled Onions: Exposing Malicious Tor Exit Relays

1,551 views

Published on

Tor exit relays are operated by volunteers and together push more than 1 GiB/s of network traffic. By design, these volunteers are able to inspect and modify the anonymized network traffic. In this paper, we seek to expose such malicious exit relays and document their actions. First, we monitored the Tor network after developing two fast and modular exit relay scanners—one for credential sniffing and one for active MitM attacks. We implemented several scanning modules for detecting common attacks and used them to probe all exit relays over a period of several months. We discovered numerous malicious exit relays engaging in a multitude of different attacks. To reduce the attack surface users are exposed to, we patched Torbutton, an existing browser extension and part of the Tor Browser Bundle, to fetch and compare suspicious X.509 certificates over independent Tor circuits. Our work makes it possible to continuously and systematically monitor Tor exit relays. We are able to detect and thwart many man-in-the-middle attacks, thereby making the network safer for its users. All our source code is available under a free license.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Spoiled Onions: Exposing Malicious Tor Exit Relays

  1. 1. Spoiled Onions: Exposing Malicious Tor Exit Relays Philipp Winter, Richard K¨ower, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, Edgar Weippl
  2. 2. Outline This talk is about: Detecting malicious Tor exit relays Two new exit relay scanners: exitmap and HoneyConnector Several months runtime on the Tor network Identified 65 spoiled onions
  3. 3. Problem Description We define a malicious relay to: injects or modifys HTML conducts MitM (TLS & SSH, ...) modifies DNS responses credentials reusage (FTP, IMAP, SMTP) Our solution: lightweight and modular exit scanners focus: opportunity, impact and history open source
  4. 4. Problem Description We define a malicious relay to: injects or modifys HTML conducts MitM (TLS & SSH, ...) modifies DNS responses credentials reusage (FTP, IMAP, SMTP) Our solution: lightweight and modular exit scanners focus: opportunity, impact and history open source
  5. 5. Related Work Previous work: PETS 2008, ”Shining light into dark places“: 1 relay RAID 2011, ”Detecting Traffic Snooping in Tor Using Decoys“: 10 relays “Snakes on a Tor” (Mike Perry), “tortunnel” (Moxie Marlinspike), numerous others However, so far: Tor network (and the world) has changed since 2011 no systematic framework to detect active attacks
  6. 6. Related Work Previous work: PETS 2008, ”Shining light into dark places“: 1 relay RAID 2011, ”Detecting Traffic Snooping in Tor Using Decoys“: 10 relays “Snakes on a Tor” (Mike Perry), “tortunnel” (Moxie Marlinspike), numerous others However, so far: Tor network (and the world) has changed since 2011 no systematic framework to detect active attacks
  7. 7. exitmap Design of exitmap: detect MitM attacks two-hop Tor circuits asynchronous & event-driven Implemented modules: HTTPS, SSH, XMPP, IMAPS, DNS, sslstrip Python & Stem library exitmap Destination Exit relays Static relay Tor network "Spoiled" exit doing MitM
  8. 8. exitmap Design of exitmap: detect MitM attacks two-hop Tor circuits asynchronous & event-driven Implemented modules: HTTPS, SSH, XMPP, IMAPS, DNS, sslstrip Python & Stem library exitmap Destination Exit relays Static relay Tor network "Spoiled" exit doing MitM
  9. 9. Performance exitmap Really fast! can be configured to spread over time on average: 84%-88% of circuits suceeded 0 10 30 50 0.00.40.8 Time (seconds) EmpiricalCDF qqqqqqqqqqqqqqq qqqqqqq qqqqqq qqqqqqq qqqqqqqqqqqq qq q SSH HTTPS sslstrip DNS
  10. 10. exitmap scans Evaluation: September 2013, running 7 months several scans per week Detected 40 malicious relays: mostly HTTPS MitM (18) some additionally SSH MitM (5) many sslstrip (9) some DNS modifications: DNS censorship (4) in Hong Kong, Malaysia and Turkey OpenDNS (4)
  11. 11. HoneyConnector Design: unique credentials per relay and connection full connections dummy content log inspection for reconnections Implemented modules: FTP (pyFTPdlib) IMAP (Dovecot)
  12. 12. HoneyConnector scans Evaluation: October 2013, running 4 months popular hosting providers one each for FTP and IMAP 54.000 bait connections Detected 27 malicious relays: 255 login attempts, with 128 sniffed credentials credentials reused: 97 (FTP), 31 (IMAP) many reconnection attempts in bulks
  13. 13. HoneyConnector scans Evaluation: October 2013, running 4 months popular hosting providers one each for FTP and IMAP 54.000 bait connections Detected 27 malicious relays: 255 login attempts, with 128 sniffed credentials credentials reused: 97 (FTP), 31 (IMAP) many reconnection attempts in bulks
  14. 14. Timely distribution Timely distribution of login attempts:
  15. 15. Reconnection attempts Details of login attempts: majority (57%, or 145) used Tor 18% (45) came from the same IP as exit relay 16% (41) used Mail2Web 9% (22) used IP from consumer lines, UMTS or hosting providers Software used for some cases: Firefox and Internet Explorer for FTP (mozilla@example.com) Thunderbird for IMAP (autoconf XML file)
  16. 16. Reconnection attempts Details of login attempts: majority (57%, or 145) used Tor 18% (45) came from the same IP as exit relay 16% (41) used Mail2Web 9% (22) used IP from consumer lines, UMTS or hosting providers Software used for some cases: Firefox and Internet Explorer for FTP (mozilla@example.com) Thunderbird for IMAP (autoconf XML file)
  17. 17. Fun facts Using credentials is harder than it seems, for 12% (31): copy-paste errors manual typos (username, passwords) IMAP credentials for FTP, and vice-versa mixing passwords for usernames one completely unrelated password pasting connection URL in wrong browser (Chrome vs. TBB)
  18. 18. Groups of relays Multiple relays worked in groups: relay operators can cooperate multiple relays per operator 3 different groups identified Russian nodes, HTTPS MitM: 20 relays same, self-signed certificate all but one relay located in Russia one VPS provider / netblock rather high bandwidth (up to 7 MB/s)
  19. 19. Groups of relays Multiple relays worked in groups: relay operators can cooperate multiple relays per operator 3 different groups identified Russian nodes, HTTPS MitM: 20 relays same, self-signed certificate all but one relay located in Russia one VPS provider / netblock rather high bandwidth (up to 7 MB/s)
  20. 20. Groups of relays Indian relays: 7 relays distinguishable reconnect patterns same ISP, new IP every 6 hours low bandwidth (50-80 KB/s) International group: 5 relays sniffed credentials tested in batches medium bandwidth (2-3 MB/s)
  21. 21. Groups of relays Indian relays: 7 relays distinguishable reconnect patterns same ISP, new IP every 6 hours low bandwidth (50-80 KB/s) International group: 5 relays sniffed credentials tested in batches medium bandwidth (2-3 MB/s)
  22. 22. Discussion Spoiled onions: two nodes were found using both scanners overall: diverse set of attacks protection: end-to-end encryption user education pinning, HSTS, DANE Effects on Tor users: propability to use malicious relay is tricky to calculate influenced by churn rate and bandwidth in total 6835 exit relays around 2700 <= 50 hours or less
  23. 23. Discussion Spoiled onions: two nodes were found using both scanners overall: diverse set of attacks protection: end-to-end encryption user education pinning, HSTS, DANE Effects on Tor users: propability to use malicious relay is tricky to calculate influenced by churn rate and bandwidth in total 6835 exit relays around 2700 <= 50 hours or less
  24. 24. Firefox Extension HTTPS MitM protection: self-signed certificates fetches certificate over second Tor circuit triggered on about:certerror Does not protect against: malicious (and trusted) CA large number of relays/bandwidth
  25. 25. Limitations not all HTTPS connections targeted (sampling)! performance vs. detectability? attacker may be upstream? only snapshot in time
  26. 26. Aftermath notified Tor (reproduction of attacks) BadExit flag assigned as of yesterday: one relay still in consensus, with BadExit
  27. 27. Conclusions To conclude: get the source here: http://www.cs.kau.se/philwint/spoiled_onions run your own scans identified 65 spoiled onions, maybe more?
  28. 28. Thank you for your time! Questions? mmulazzani@sba-research.org
  29. 29. Full table exitmap
  30. 30. Full table exitmap
  31. 31. Full table HoneyConnector

×