Dynamic Multipath Onion Routing in Anonymous Peer-To-Peer Overlay Networks Olaf Landsiedel, Alexis Pimenidis, Klaus Wehrle Heiko Niedermayer, Georg Carle Department of Computer Science Department of Computer Science RWTH Aachen University, Germany University of Tuebingen, Germany fi[email protected] fi[email protected] Abstract— Although recent years provided many protocols for Instead of using a static route between two nodes, MORE anonymous routing in overlay networks, they commonly rely on routes each packet along a different path to its destination – the same communication paradigm: Onion Routing. In Onion making timing and pattern attacks, as the one described above, Routing a static tunnel through an overlay network is build via layered encryption. All traffic exchanged by its end points is useless. Furthermore, the stateless forwarding is inspired by relayed through this tunnel. IP-routing. Thus, a relay does not maintain state and flow In contrast, this paper introduces dynamic multipath Onion information for connections as in today’s Onion Routers. This Routing to extend the static Onion Routing paradigm. This reduces the complexity of the design and the architecture, approach allows each packet exchanged between two end points allowing for the ease of implementation of relay nodes. to travel along a different path. To provide anonymity the first half of this path is selected by the sender and the second half Additionally, dynamic multipath Onion Routing results in an by the receiver of the packet. The results are manifold: First, improved load balancing compared to traditional static Onion dynamic multipath Onion Routing increases the resilience against Routing. As result the impact of misbehaving or overloaded threats, especially pattern and timing based analysis attacks. nodes on the throughput is reduced. Second, the dynamic paths reduce the impact of misbehaving Additionally, peer-to-peer networks have a number of prop- and overloaded relays. Finally, inspired by Internet routing, the forwarding nodes do not need to maintain any state about erties desired in Onion Routers: The large number of available ongoing flows and so reduce the complexity of the router. nodes, their geographic distribution and local jurisdiction and In this paper, we describe the design of our dynamic Multipath political backgrounds make such a widely distributed network Onion RoutEr (MORE) for peer-to-peer overlay networks, and an ideal candidate for anonymous communication and as result evaluate its performance. Furthermore, we integrate address our work bases on a peer-to-peer overlay. virtualization to abstract from Internet addresses and provide transparent support for IP applications. Thus, no application- The remainder of this paper is structured as follows. First, level gateways, proxies or modifications of applications are section II addresses related work and discusses the differences required to sanitize protocols from network level information. to our approach. Section III presents dynamic multipath Onion Acting as an IP-datagram service, our scheme provides a Routing and transparent support of IP applications. Section IV substrate for anonymous communication to a wide range of introduces anonymous services and section V evaluates the applications using TCP and UDP. performance of the proposed approach. Section VI discusses I. INTRODUCTION future work and concludes the paper. Anonymous routing and forwarding enables private com- munication in today’s Internet. Its applications include private II. RELATED WORK webbrowsing, online voting and anonymous email, chats and In this section, we address the differences of today’s content distribution. Syverson et al. proposed Onion Routing near real-time anonymous communication schemes to our [1] as a substrate to enable anonymous communication. Using approach. Their design principle dates back to the Chaumian Onion Routing, a host can connect to a server through a set of Mix [5], in which e-mail traffic is forwarded through a set relays and thereby hide its identity. Layered encryption ensures of cascading mixes to hide the sender’s identity. The traffic that each hop in the relay network can only decrypt the address enters one of the mixes and leaves the mix network at some of its successor in the relay chain. random point. To reduce the impact of malicious mixes, the To communicate, two nodes set up a route through the relay route through the mixes is set up via layered encryption (Onion network. As this route remains the same until the communica- Routing [1]). Thus, each mix only can decrypt the information tion between the two nodes has ended, the connection-based about its successor in the cascade. design of today’s Onion Routers enables practical attacks Based on the Onion Routing principle, various systems against the user’s anonymity such as [2]–[4]. For example, to have been proposed enabling near real-time communication attack a connection, the adversary applies a traffic pattern to for services like web browsing: Tor [6], Freedom [7] and Web one of the relays of the connection. This pattern then interferes Mixes [8]. These systems either use a centralized proxy for with the communication between the server and the node and relay or a set of known relays. With the success of peer-to- can be measured at both of them [2]. peer systems the peer-to-peer paradigm got adapted by various anonymous communication schemes such as as MorphMix [9], Hop 1 Hop 2 Hop 3 Hop 4 Receiver Data… Tarzan [10], AP3 [11], Cashmere [12], and information slicing Enc. with public key of rec. [13] . The large number of available nodes, their geographic Encrypted with public key of hop 4 distribution and local jurisdiction and political backgrounds Encrypted with public key of hop 3 make such a widely distributed peer-to-peer network an ideal candidate for anonymous communication. However, peer-to- Encrypted with public key of hop 2 peer networks suffer from the dynamics of nodes leaving Encrypted with public key of hop 1 and joining constantly and the heterogeneous bandwidth and Hops selected by the sender Hops selected by the receiver computing capacities of their nodes. Nonetheless, all systems mentioned above rely on static routes and are thereby suscep- Fig. 1. Path information: the layered public key encryption ensures that each tible to pattern- and timing-based attacks [2]–[4]. hop can only determine its successor. To our best knowledge, our work is the first to propose dynamic multipath Onion Routing, i.e. to route each packet along a different path, for low latency anonymous networks. adding its own public key to the header, it ensures that the Focusing on traffic analysis of Mobile IP systems and not relay itself can retrieve the symmetric key and determine its anonymity and Onion Routing, Fasbender et al. [14,15] show successor on the path (see figure 1). Applying this scheme to that changing Mobile IP agents on a regular basis makes traffic each hop, MORE ensures that each relay knows only about analysis unfeasible. The closest work to MORE is a theo- its successor. Additionally, padding packets to constant length retical paper by Serjantov and Murdoch [16] about splitting prevents relays from identifying the length of the path and large messages in remailer systems [17, 18]. It analyzes the their position in it. usage of independent routes for each packet of a message To reduce the computational and the bandwidth overhead to prevent an eavesdropper at the first mix from determining we use elliptic curve cryptography (ECC). Compared to RSA, the message size and therefore being able to correlate this ECC keys are significantly shorter. We use a key length of with an eavesdropper located near other mix nodes. As nodes 192 bit, which has a security level similar to 2048 bit RSA are repeatedly used as first relay in a path, the packet flow keys. Additionally, encryption, decryption, key generation, and is exponentially distributed to prevent the first relay from elliptic curve based Diffie-Hellmann key exchange (ECDH) estimating the message size. This theoretical analysis primarily are significantly faster than in RSA-based schemes [19]. refers to remailer systems. However, in private communication Additionally, the sender adds a return route – leading back its authors confirmed that most arguments in terms of security to itself – to the packet. Using this return route, the receiver and threat analysis also apply to Onion Routing. can send an answer back to the sender. When forwarding a packet, a relay stores the previous and next relays and the III. INTRODUCING THE MORE APPROACH corresponding key for some minutes to prevent the reuse of routes. This is important as the repeated use of a route would This section introduces dynamic multipath Onion Routing. enable pattern and timing based attacks and so threaten the In particular, we discuss the architecture of MORE. anonymity of the path destination. Today’s Onion Routers operate flow oriented. Thus, when a flow between two end points is set up, each relay stores A. Path Concatenation session information, e.g. symmetric keys, state information, successor, and predecessor. In contrast, MORE allows each So far, we discussed how a sender can communicate anony- packet to travel along a different path. To provide anonymity mously with a known receiver. However, we did not discuss the first half of this path is selected by the sender and the how the receiver itself can stay anonymous and so offer for second half by the receiver of the packet. As MORE operates example a hidden service. connectionless, a session setup as in today’s Onion Routers We propose a path concatenation scheme to enable receiver cannot be done1 and is unnecessary2. Therefore, in MORE, anonymity. An anonymous service (hidden service) publishes each packet needs to maintain the information about the relays routes to itself in some out-of-band media (see section III-B).