The Onion Routing (Tor) protocol represents a well established network routing system that is designed to provide users with low latency communication channels, that cannot be attacked by network level adversaries attempting to identify who is communicating with whom. It is clearly understood how the Tor network behaves whenever an adversary compromises a percentage of the onion routers, and especially that if the whole network could be monitored, with little or no security at all.
A recently published paper studied the power of unity of less powerful adversaries who do not directly monitor onion router traffic, but rather divide the network into compartments and monitor the network traffic travelling from one compartment to the other. These forms of adversaries are very interesting due to the fact that they really exist, especially in the form of programs, or groups of scripts, developed to monitor network traffic crossing country borders. Throughout this article, we will take a look at the experiments presented in this paper, but first let’s take a look at how countries are now considering monitoring of cross-border network traffic.
Monitoring cross-border communications:
In 2008, the Swedish Parliament passed legislation that gave the Swedish National Defense Radio Establishment the right to monitor cable, as well as wireless signals crossing the Swedish border. In 2016, the government in Norway hired a group of experts to study whether or not the Norwegian Intelligence Service will not be breaking any international laws by monitoring communications crossing the Norwegian border, similarly to what the Swedish National Defense Radio Establishment did eight years before. The experts’ report found out that the Norwegian Intelligence Service has the full legal right to monitor communications across the Norwegian border, yet this has not yet been put into effect. Interestingly enough, it seems like other countries are planning on taking similar actions.
Using compartments to reconstruct Tor circuits:
In this paper, the researchers modeled and discussed a unique adversary versus the Tor protocol. The jurisdictional adversary resembles an adversary controlling AS(es) or IXP(s). Nevertheless, the ASes and IXPs are located within a jurisdiction, while a passive adversary is considered to only monitor network traffic crossing external to the border of a jurisdiction. Moreover, an adversary controlling an AS or an IXP can monitor all the traffic inside their network borders, while an adversary monitoring jurisdictional borders would not.
The researchers simulated a Tor-like network and the adversaries using a pair of algorithms, and a Tor network simulator, in addition to a reconstruction algorithm. The reconstruction algorithm is fed traffic data generated via the Tor simulator and this information is used to build the simulated network and connect users with the destination server they are wishing to communicate with. The reconstruction algorithm utilizes the timing, packet size, and direction of data packets in process of the reconstruction, which represents a form of traffic analysis.
The researchers chose to code their very own Tor network simulator, due to the fact that they wanted to categorize the nodes into different jurisdictions and obtain data that they could use in the reconstruction algorithm. In the simulations, they looked at both the fixed (padded) and the variable packet size to identify whether or not hiding the packet size is a possible countermeasure to the traffic analysis which is conducted by the adversaries. The researchers did not morph the Tor traffic, due to the fact that the adversaries are only interested in the existence of traffic and not what it looks like.
Algorithms which are utilized to detect stepping stones (e.g. proxy servers, VPNs, and other measures used to hide the identity of users) analyze streams of network traffic to identify intermediate nodes which exist between the streams. Within the same vein, the researchers’ reconstruction algorithm tries to connect streams of traffic travelling between already known onion routers to recreate circuits.
The techniques used by the researchers in this paper, in order to detect stepping stones could be also used to identify onion routers and connect its ingoing and outgoing network traffic. The difference between the stepping stone literature (previous studies in the same arena) and the experiments presented in this study, is that the adversary that the researchers modeled and analyzed in their experiments, assumes that the location of all onion routers is already known and that we want to connect Tor traffic to reconstruct Tor circuits.