Tor takes aim against malicious nodes on the network

'Sybil' nodes could be used to de-anonymise traffic

The Tor Project is working with Princeton University boffins to try and identify possibly malicious nodes, and prevent them from harvesting traffic by gaming its node reputation system.

Tor's reputation services collect flags from relays, from which they assess and publish (hourly) the reputation of relays, but the researchers from Princeton and the Tor project believe the network isn't sufficiently protected against “Sybil attacks”.

In a Sybil attack (named after the Flora Schreiber novel about dissociative identity disorder), a single individual controls multiple accounts to game a reputation system. In the case of Tor, gaming the system would let an attacker attract traffic to nodes they control – and that gives the attacker more traffic to observe (for example, to try and de-anonymise users).

Tor already tries to remove malicious Sybils from the network (not all of them are attackers), but a false positive is costly, because it removes bandwidth from the network. However, the paper (by Princeton and Karlstad University's Philipp Winter, Roya Ensafi and Nick Feamster of Princeton, and the Tor Project's Karsten Loesing) notes that to get rid of dangerous nodes, the network needs ways to identify them.

A miscreant, the authors say, can also use Sybils to snoop on exit traffic (for credential collection), fingerprint Websites users are connecting to, harvest bridge addresses (which undermines Tor's potential to circumvent censorship).

The boffins trained their main tool, called “sybilhunter”, on historical network data about the Tor consensus (that is, the output of its reputation system), and turned up some interesting results, including:

  • Rewrite Sybils – these hijacked Bitcoin transactions by rewriting their Bitcoin addresses;
  • Redirect Sybils – these also attacked Bitcoin users, by redirecting them to an impersonation site;
  • FDCservers Sybils – associated with the CMU deanonymisation research later subpoenaed by the FBI;
  • Botnets of Sybils – possibly misguided attempts to help drive up usage;
  • Academic Sybils – they observed the Amazon EC2-hosted nodes operated by Biryukov, Pustogarov, and Weinmann for this 2013 paper; and
  • The LizardNSA attack on Tor.

The paper notes that sybilhunter isn't a complete answer to the problem. It can't assess the motivations behind Sybils, and some fingerprints it misses are picked up by other tools, such as Exitmap. So the Tor Project is advised to use “diverse and complimentary tools” to protect the network.

Manual work is needed as well, and can provide important context to distinguish harmless and malicious Sybils: “Sybils that are (i) operated in “bulletproof” Ases, (ii) show signs of not running the Tor reference implementation, or (iii) spoof information in their router descriptor all suggest malicious intent”, they say.

They hope to create a crowd-sourced sybilhunter: “We are also working with The Tor Project on incorporating our techniques in Tor Metrics, a web site that contains network visualisations, which are frequented by numerous volunteers that sometimes report anomalies. By incorporating our techniques, we hope to benefit from “crowd-sourced” Sybil detection.”

The code for sybilhunter is here. ®

Sponsored: Balancing consumerization and corporate control

More from The Register


Backdoors won't weaken your encryption, wails FBI boss. And he's right. They won't – they'll fscking torpedo it

Give it a Wray, give it a Wray, give it a Wray now: Big Chris steps in to defend blowing a hole in personal crypto
Swarming bugs

Drone 'swarm' buzzed off FBI surveillance bods, says tech bloke

UAV arms race with drug lords is upon us
Someone enjoying a spliff

FBI, NSA to hackers: Let us be blunt. Weed need your help. We'll hire you even if you've smoked a little pot in the past

Black Hat Now that's what we call a joint task force: Uncle Sam chills out, relaxes recruitment rules on drugs

ACLU: Here's how FBI tried to force Facebook to wiretap its chat app. Judge: Oh no you don't

Federal court shoots down attempt to reveal Feds' decryption demands

FBI boss: Never mind Russia and social media, China ransacks US biz for blueprints, secrets at 'surprisingly' huge scale

RSA 'Espionage and criminal investigations ... almost all of which lead back to Beijing'
Looking down on an FBI agent

F-B-Yikes! FBI bod allegedly hid spy camera under desk to snap coworker's upskirt pics

Of all the places to allegedly try this, the J Edgar Hoover HQ ain't one. In fact, no, no building is good. None of them
Facial recognition

FBI and immigration officials trawling US driving licence databases for suspects

Maybe time to put 4th amendment-bothering facial recog on ICE?

Low Barr: Don't give me that crap about security, just put the backdoors in the encryption, roars US Attorney General

Analysis I don't want to hear about hackers and keys, nerds – make it happen, or we'll pass a law making it happen

Biting the hand that feeds IT © 1998–2019