Anne Edmundson

Counter-RAPTOR: Safeguarding Tor Against Active Routing Attacks

Tor is vulnerable to network-level adversaries who can observe both ends of the communication to deanonymize users. Recent work has shown that Tor is susceptible to the previously unknown active BGP routing attacks, called RAPTOR attacks, which expose Tor users to more network-level adversaries. In this paper, we aim to mitigate and detect such active routing attacks against Tor. First, we present a new measurement study on the resilience of the Tor network to active BGP prefix attacks. We show that ASes with high Tor bandwidth can be less resilient to attacks than other ASes. Second, we present a new Tor guard relay selection algorithm that incorporates resilience of relays into consideration to proactively mitigate such attacks. We show that the algorithm successfully improves the security for Tor clients by up to 36% on average (up to 166% for certain clients). Finally, we build a live BGP monitoring system that can detect routing anomalies on the Tor network in real time by performing an AS origin check and novel detection analytics. Our monitoring system successfully detects simulated attacks that are modeled after multiple known attack types as well as a real-world hijack attack (performed by us), while having low false positive rates.

A First Look into Transnational Routing Detours

An increasing number of countries are passing laws that facilitate the mass surveillance of their citizens. In response, governments and citizens are increasingly paying attention to the countries that their Internet traffic traverses. In some cases, countries are taking extreme steps, such as building new IXPs and encouraging local interconnection to keep local traffic local. We find that although many of these efforts are extensive, they are often futile, due to the inherent lack of hosting and route diversity for many popular sites. We investigate how the use of overlay network relays and the DNS open resolver infrastructure can prevent traffic from traversing certain jurisdictions.

Cross-App Poisoning in Software-Defined Networking

Software-defined networking (SDN) continues to grow in popularity because of its programmable and extensible control plane realized through network applications (apps). However, apps introduce significant security challenges that can systemically disrupt network operations, since apps must access or modify data in a shared control plane state. If our understanding of how such data propagate within the control plane is inadequate, apps can co-opt other apps, causing them to poison the control planes integrity. We present a class of SDN control plane integrity attacks that we call cross-app poisoning (CAP), in which an unprivileged app manipulates the shared control plane state to trick a privileged app into taking actions on its behalf. We demonstrate how role-based access control (RBAC) schemes are insufficient for preventing such attacks because they neither track information flow nor enforce information flow control (IFC). We also present a defense, ProvSDN, that uses data provenance to track information flow and serves as an online reference monitor to prevent CAP attacks. We implement ProvSDN on the ONOS SDN controller and demonstrate that information flow can be tracked with low-latency overheads.

Nation-State Hegemony in Internet Routing

While the growth of the Internet has fostered more efficient communications around the world, there is a large digital divide between Western countries and the rest of the world. Countries such as Brazil, China, and Saudi Arabia have questioned and criticized Americas Internet hegemony. This paper studies the extent to which various countries rely on the United States and other Western countries to connect to popular Internet destinations in those countries. Unfortunately, our measurements reveal that underserved regions are dependent on North American and Western European regions for two reasons: local content is often hosted in foreign countries (such as the United States and the Netherlands), and networks within a country often fail to peer with one another. Fortunately, we also find that routing traffic through strategically placed relay nodes can in some cases reduce the number of transnational routing detours by more than a factor of two, which subsequently reduces the dependence of underserved regions on other regions. Based on these findings, we design and implement Region-Aware Networking, RAN, a lightweight system that routes a clients web traffic around specified countries with no modifications to client software (and in many cases with little performance overhead).