This past March was a tough month for privacy pundits. Congress rescinded what experts consider to be significant online privacy regulations. According to this TechRepublic column by Hope Reese: “Republicans in the US House of Representatives followed suit with the Senate, voting to strip guidelines issued by the Federal Communications Commission (FCC) to protect consumer internet history.”
“The ruling effectively blocks Obama-era regulations established in October 2016–and set to take effect in December 2017–that were designed to protect consumers’ personal information online from being sold to businesses and marketers,” continues Reese. “The regulations forced internet service providers (ISPs) like AT&T, Verizon, and T-Mobile to ask for permission from customers before they could share their personal internet history with third-party advertisers.”
SEE: Online security 101: Tips for protecting your privacy from hackers and spies (TechRepublic)
Individuals and organizations taking a wait and see attitude about online privacy are now forced to look elsewhere for protection. One possible solution is Tor–The Onion Router–technology that anonymizes user-identifying information by routing digital traffic through a series of relay servers before releasing the traffic to the public internet (Figure A).
Tor is currently the most popular method for anonymizing online communications–it serves millions of users, and carries terabytes of traffic every day. Despite its proven effectiveness, a group of researchers from Princeton is urging caution because Tor has a weakness.
“Tor is vulnerable to traffic-correlation attacks,” write Princeton University researchers Yixin Sun, Anne Edmundson, Nick Feamster, Mung Chiang, and Prateek Mittal in their paper Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks. “An adversary [or Autonomous System (AS)] who can observe the traffic at both ends of the communications path–between the Tor client and the entry guard relay, and between the exit relay and the destination server–can perform traffic analysis on packet size and timing to deanonymize Tor users.”
The authors are particularly concerned about RAPTOR (Routing Attacks on Privacy in TOR) attacks, where quirks in BGP routing allow attackers to increase the number of AS-level adversaries observing traffic entering and exiting the Tor network.
“As the internet gets bigger and more dynamic, more organizations have the ability to observe users’ traffic,” says research team member Yixin Sun in Josephine Wolff’s Princeton University press release. “We want to understand possible ways these organizations could identify users and provide Tor with the means to defend itself against these attacks and help preserve online privacy.”
SEE: Cyber Security Volume III: Anonymous Browsing (TechRepublic Academy)
Organizations are able to identify users, because traffic from each user is distinctive in terms of data packet size and packet sequence. “If an ISP sees similar-looking traffic streams enter the Tor network and leave the Tor network after being routed through relay servers, the provider may be able to piece together the user’s identity,” mentions Wolff. “And ISPs are often able to manipulate how traffic on the internet is routed, so they can observe particular streams of traffic, making Tor vulnerable to this kind of attack.”
The guard relay selection algorithm
To devise a solution, the Princeton research team began by measuring how susceptible ISPs were to RAPTOR and prefix-hijack attacks (corrupt IP addresses). After reviewing their data, the researchers felt it necessary to change how Tor entry guard relays are chosen. Rather than randomly select relays (some attention was paid to server loading), the Princeton team decided their guard relay selection algorithm would make routing choices based on the following:
- Mitigate RAPTOR and prefix-hijack attacks on Tor: Compute AS resistance against RAPTOR and prefix-hijack attacks on all Tor guard relays from the client source AS, and select the ones having more resilience, minimizing the likelihood of an attack on the guard relay being accessed by the Tor user.
- Protect the anonymity of Tor clients: Protect the anonymity of Tor users by balancing preferences among relays and providing anonymity boundaries.
- Performance and load balancing: Take into consideration the amount of available bandwidth into the selection decision to avoid traffic congestion on low bandwidth relays.
Proactive and reactive countermeasures
The Princeton University researchers have both proactive and reactive defenses. The team’s Tor guard relay selection algorithm proactively mitigates RAPTOR and prefix-hijack attacks.
“The researchers also built a network-monitoring system (reactive) to check network traffic to uncover manipulation that could indicate attacks on Tor,” writes Wolff in the press release. “When they simulated such attacks themselves, the researchers found that their system was able to identify the attacks and have low false positive rates.”
Wolff concludes the press release with Professor Mittal’s recommendation:
“Tor is among the best tools for anonymous communications. Making Tor more robust, directly serves to strengthen individual liberty and freedom of expression in online communications.”