Abstract — Overlay networks are widely used to deploy functionality at edge nodes without changing network routers. Each node in an overlay network maintains connections with a number of peers, forming a graph upon which a distributed application or service is implemented. In an “Eclipse ” attack, a set of malicious, colluding overlay nodes arranges for a correct node to peer only with members of the coalition. If successful, the attacker can mediate most or all communication to and from the victim. Furthermore, by supplying biased neighbor information during normal overlay maintenance, a modest number of malicious nodes can eclipse a large number of correct victim nodes. This paper studies the impact of Eclipse attacks on structured overlays and shows the limitations of known defenses. We then present the design, implementation, and evaluation of a new defense, in which nodes anonymously audit each other’s connectivity. The key observation is that a node that mounts an Eclipse attack must have a higher than average node degree. We show that enforcing a node degree limit by auditing is an effective defense against Eclipse attacks. Furthermore, unlike most existing defenses, our defense leaves flexibility in the selection of neighboring nodes, thus permitting important overlay optimizations like proximity neighbor selection (PNS). I.

Abstract. Users building routes through an anonymization network must discover the nodes comprising the network. Yet, it is potentially costly, or even infeasible, for everyone to know the entire network. We introduce a novel attack, the route bridging attack, which makes use of what route creators do not know of the network. We also present new discussion and results concerning route fingerprinting attacks, which make use of what route creators do know of the network. We prove analytic bounds for both route fingerprinting and route bridging and describe the impact of these attacks on published anonymity-network designs. We also discuss implications for network scaling and client-server vs. peer-to-peer systems. 1

Overlay mix-networks are widely used to provide lowlatency anonymous communication services. It is generally accepted that, if an adversary can compromise the endpoints of a path through an anonymous mix-network, then it is possible to ascertain the identities of a requesting client and the responding server. However, theoretical analyses of anonymous mix-networks show that the likelihood of such an end-to-end attack becomes negligible as the network size increases. We show that if the mixnetwork attempts to optimize performance by utilizing a preferential routing scheme, then the system is highly vulnerable to attacks from non-global adversaries with only a few malicious servers. We extend this attack by exploring methods for lowresource nodes to be perceived as high-resource nodes by reporting false resource claims to centralized routing authorities. To evaluate this attack on a mature and representative system, we deployed an isolated Tor network on the PlanetLab testbed. We introduced low-resource malicious nodes that falsely gave the illusion of high-performance nodes, which allowed them to be included on a disproportionately high number of paths. Our results show that our malicious low-resource nodes are highly effective at compromising the end-to-end anonymity of the system. We present several extensions to this general attack that further improve the performance and minimize the resources required. In order to mitigate low-resource nodes from exploiting preferential routing, we present several methods to verify resource claims, including a distributed reputation system. Our attacks suggest what seems be a fundamental problem in multi-hop systems that attempt to simultaneously provide anonymity and high-performance.

This paper investigates the problem of designing anonymity networks that meet application-specific performance and security constraints. We argue that existing anonymity networks take a narrow view of performance by considering only the strength of the offered anonymity. However, real-world applications impose a myriad of communication requirements, including end-to-end bandwidth and latency, trustworthiness of intermediary routers, and network jitter. We pose a grand challenge for anonymity: the development of a network architecture that enables applications to customize routes that tradeoff between anonymity and performance. Towards this challenge, we present the Application-Aware Anonymity (A 3) routing service. We envision that A 3 will serve as a powerful and flexible anonymous communications layer that will spur the future development of anonymity services. 1

Abstract not found

This paper proposes a new approach to anonymous communication called information slicing. Typically, anonymizers use onion routing, where a message is encrypted in layers with the public keys of the nodes along the path. Instead, our approach scrambles the message, divides it into pieces, and sends the pieces along disjoint paths. We show that information slicing addresses message confidentiality as well as source and destination anonymity. Surprisingly, it does not need any public key cryptography. Further, our approach naturally addresses the problem of node failures. These characteristics make it a good fit for use over dynamic peer-to-peer overlays. We evaluate the anonymity of information slicing via analysis and simulations. Our prototype implementation on PlanetLab shows that it achieves higher throughput than onion routing and effectively copes with node churn.

Reputation mechanisms help peers in a peer-to-peer (P2P) system avoid unreliable or malicious peers. In application-level networks, however, short peer life-times mean reputations are often generated from a small number of past transactions. These reputation values are less “reliable, ” and more vulnerable to bad-mouthing or collusion attacks. We address this issue by introducing proactive reputations, a first-hand history of transactions initiated to augment incomplete or short-term reputation values. We present several mechanisms for generating proactive reputations, along with a statistical similarity metric to measure their effectiveness. 1.

We introduce Torsk, a structured peer-to-peer low-latency anonymity protocol. Torsk is designed as an interoperable replacement for the relay selection and directory service of the popular Tor anonymity network, that decreases the bandwidth cost of relay selection and maintenance from quadratic to quasilinear while introducing no new attacks on the anonymity provided by Tor, and no additional delay to connections made via Tor. The resulting bandwidth savings make a modest-sized Torsk network significantly cheaper to operate, and allows low-bandwidth clients to join the network. Unlike previous proposals for P2P anonymity schemes, Torsk does not require all users to relay traffic for others. Torsk utilizes a combination of two P2P lookup mechanisms with complementary strengths in order to avoid attacks on the confidentiality and integrity of lookups. We show by analysis that previously known attacks on P2P anonymity schemes do not apply to Torsk, and report on experiments conducted with a 336-node wide-area deployment of Torsk, demonstrating its efficiency and feasibility. Categories and Subject Descriptors

Abstract – Recent years have witnessed many proposals for anonymous routing in overlay peer-to-peer networks. To provide both sender and receiver anonymity, the proposed protocols require the overlay nodes to have public-private key pairs, with the public keys known to everyone. In practice, however, key distribution and management are well-known difficult problems that have crippled any widespread deployment of anonymous routing. In this paper, we propose a novel protocol that uses a combination of information slicing and source routing to provide anonymous communication similar to Onion Routing but without a public key infrastructure. 1

Abstract—Structured overlay networks can greatly simplify data storage and management for a variety of distributed applications. Despite their attractive features, these overlays remain vulnerable to the Identity attack, where malicious nodes assume control of application components by intercepting and hijacking key-based routing (KBR) requests. Attackers can assume arbitrary application roles such as storage node for a given file, or return falsified contents of an online shopper’s shopping cart. In this paper, we define a generalized form of the Identity attack, and propose a light-weight detection and tracking system that protects applications by redirecting traffic away from attackers. We describe how this attack can be amplified by a Sybil or Eclipse attack, and analyze the costs of performing such an attack. Finally, we present measurements of a deployed overlay that show our techniques to be significantly more light-weight than prior techniques, and highly effective at detecting and avoiding both single node and colluding attacks under a variety of conditions. I.