Overview

Anonymizing networks (such as Tor or I2P) provide a way to anonymize Internet communications, so as to make it hard to link communication parties (e.g., a user and the web server he/she is visiting). Those anonymizing networks often rely on a distributed overlay network and on onion routing to anonymize TCP-based applications like WEB browsing or P2P.

Our research concerns the analysis of such networks, from a security, privacy and usage perspective. Here you can find our current work on the privacy of BitTorrent users on Tor and the characterization of the Tor traffic.

De-anonymizing BitTorrent Users on Tor

In a climate of cold war between P2P users and anti-piracy groups, more and more users are moving to anonymizing networks in an attempt to hide their identity. However, when not designed to protect users information, a P2P protocol would leak information that may compromise the identity of its users.

In this work, we first present three techniques targeting BitTorrent users on top of Tor that reveal their real IP addresses. In a second step, we analyze the Tor usage by BitTorrent users and compare it to its usage outside of Tor. Finally, we depict the threat induced by this de-anonymization and show that users’ privacy violation goes beyond BitTorrent traffic and contaminates other protocols such as HTTP. In other words, using BitTorrent over Tor is not a good idea.

Papers

• Technical report Compromising Tor Anonymity Exploiting P2P Information Leakage is available here.
• A preliminary version has been presented at the 3rd Hot Topics in Privacy Enhancing Technologies (HotPETs 2010).
• The poster accepted at USENIX Symposium on Network Design and Implementation (NSDI ‘10) can be found here.

Press

• Slashdot: Why Tor Users Should Be Cautious About P2P Privacy
• The Tor Project: Bittorrent over Tor isn’t a good idea
• The Register: Researchers spy on BitTorrent users in real-time
• (French) CNIS magazine: Après BitTorrent, l’Inria s’attaque à Tor
• (French) Le Monde: L’anonymat du réseau BitTorrent mis en cause
• (French) Korben: BLUEBEAR – Explication technique qui va faire trembler les utilisateurs de bittorrent

Updates

April 30th, 2010: A Slashdot story on “Why Tor Users Should Be Cautious About P2P Privacy“.

April 29th, 2010: The Tor Project publishes a summary of our main findings in its official blog (Bittorrent over Tor isn’t a good idea).

April 8th 2010: A first version of our technical report has been submitted.

Related Links

Bluebear: Exploring Privacy Threats in BitTorrent
Anonymous Internet access with Tor, circumventing P2P restrictions

Contact: Please, send any comments or questions to:

Mohamed Ali Kaafar or Pere Manils

A Deep Analysis of the Tor Anonymizing Network

In 2008 McCoy et al. have already shown the importance of the BitTorrrent protocol in terms of traffic size in Tor (BitTorrent representing more than 40% of the overall observed traffic). These results revealed useful statistics about Tor usage in general. However, Tor has gained in popularity through years, and its related traffic has certainly evolved. A proof of that is the increase of encrypted BitTorrent traffic that we identified in our research.

We performed an analysis of the application usage of the Tor network through a deep packet inspection (as opposite to a simple port-based classification), and show that most of the traffic exchanged through Tor is an undesirable BitTorrent traffic. We also observed an important fraction of “unknown” traffic and present the technique we used to reveal that the vast majority of this traffic is actually an encrypted BitTorrent traffic. Our analysis shows then that the BitTorrent traffic on top of Tor accounts for much more traffic size that what it is commonly believed.

We also studied the HTTP and BitTorrent usage over Tor and compared Tor users behaviors to typical Internet users, and tried to answer the following questions:

• What kind of webpages are typically visited through Tor?
• What type of content are the BitTorrent users exchanging through Tor?

In addition, we study the Tor network architecture as it is being actually used, and show that many Tor users do not comply with the protocol, and rather prefer creating tunnels making Tor acting as a simple (1-hop) SOCKS proxy. We also show that it is easy to circumvent the bridges collection limits.

Papers

• The paper Digging into Anonymous Traffic: a deep analysis of the Tor anonymizing network accepted at the International Conference in Network and System Security (NSS2010) can be found here (slides of the talk).

Contact

Please, send any comments or questions to:

Mohamed Ali Kaafar or Abdelberi Chaabane

People

Pere Manils (Grenoble)

Abdelberi Chaabane (Grenoble)

Mohamed Ali Kaafar(Grenoble)

Claude Castelluccia(Grenoble)

Stevens Le Blond (Sophia Antipolis)

Arnaud Legout (Sophia Antipolis)

Walid Dabbous(Sophia Antipolis)