Saturday, 27 February 2016

The Trouble With Anonymity

There is an old adage that on the Internet no one knows you're a dog. It accompanied a cartoon in The New Yorker in 1993, which eons in Internet evolutionary terms, but issues with identity remains as problematic today as ever.  This holds true for system to system communications as well as those from person to person.  One attack that has become well known in forging identities in peer to peer networks is the Sybil attack.

The essence of a Sybil attack is simple: you subvert the reputation of a system in a peer to peer network by setting up a large number of pseudonymous identities and thereby gain an undue influence allowing you to, for example, gather data that you would not otherwise be able to do.  The ease with which a Sybil attack can be mounted is largely a factor of how cheaply identities can be generated.

In the last 10 years much work has been done on how to defend against Sybil attacks in particular contexts, such as, social networks and peer to peer (P2P) networks.  All such defences basically rely on one approach: having a trusted agency certify identities.  Researchers showed as far back as 2002 that without a logically centralised authority Sybil attacks were always possible unless you make unrealistic assumptions about networked resources.

The situation is exacerbated when even the "real" user seeks to obscure their identity.  This is exactly what Tor sets out to do so it's not entirely surprising that Tor is vulnerable to Sybil attacks.  For several months in 2014 a Sybil attack was used on Tor in an attempt to decloak users of Tor's hidden services. It was a wakeup call that the very anonymity that Tor seeks to provide could be used against the users in an attempt to reveal their true identities.

When the 2014 attack on Tor was detected, the Tor Project quickly sent out a security advisory and took steps to prevent it happening again.  This particular attack used a vulnerability in the Tor protocol which was quickly patched.  However, work over the past few years has shown that it is surprisingly common for Tor nodes to be set up with malicious intent towards Tor users.  One such study by my colleagues found that there were many exit nodes on the Tor network that appeared to be sniffing traffic, potentially conducting a range of Man in The Middle (MiTM) attacks - so called "Spoiled Onions".  If it's possible to set up a malicious node in this way (all which are quite difficult for the Tor Project to detect) we all assumed it must be relatively easy to conduct Sybil attacks "under the radar".

I was particularly interested when a paper appeared this week which reports on a tool called "Sybilhunter" which uses a range of techniques to try to expose Sybil attacks on the Tor network. The researchers analysed 9 years worth of data.  It revealed not only that Sybil attacks are underway but they vary greatly in levels of sophistication - it may be some were too sophisticated for Sybilhunter to detect but it gives an excellent indication of the problem.

Sybilhunter revealed that there were distinct groups conducting these attacks and that it was possible to determine the motives for some of the attacks:

This list includes the Sybil attacks in 2014 mentioned above.  The work also showed that whilst Sybilhunter could help detect the attacks it was necessary to manually compare attacks in order to relate them.

The overall conclusion seems to be that with anonymity comes an inability to prevent Sybil attacks but you can detect them and thence take action to cut them short.

For those interested in exploring this further both the code used in this project and the data gathered are available at