Evaluation of the model based on Tor

Four sets of tests are configured in this first evaluation in order to simulate the direct and indirect (through Tor) resolution of queries betweenR andG: (1) DNS resolutions; (2) DNSSEC resolutions;

(3) DNS resolutions through Tor; and (4) DNSSEC resolutions through Tor. A direct connection is used in the first two sets of tests. We tag these tests as Direct DNS tests andDirect DNSSEC tests.

An indirect connection based on SOCKS4a is used for the last two sets of tests. A Tor client version 0.1.2.18 (available athttps://www.torproject.org) is executed in the systemRredirecting the traffic

Bandwidth class

996KB/s 621KB/s 111KB/s 59KB/s 29KB/s <29KB/s

131 130 338 315 406 158

Table 4.3:Available nodes in the Tor network during the experiments, and classified by bandwidth

of the queries through messages SOCK4a towards the set of servers inG. We tag these two last tests asTorified DNS testsandTorified DNSSEC tests. The management of queries and responses DNS and DNSSEC inRare performed by means of an application based on the NET::DNS library (available at https://www.net-dns.org) and developed inPerl. Each query is executed as an independent process inR. The execution ofnqueries implies, therefore, the execution ofnindependent processes inR.

The activity and state of the Tor network at the start of our experiments is analysed byTorFlow, a set of scripts developed in Python and available athttps://svn.torproject.org/svn/torflow/. The Table4.3shows a summary of the set of nodes available in the Tor network during our experiments, and classified according to the bandwidth reported by severalDirectory Servers(DS). We can observe that more than one thousand four hundred nodes are available for redirecting the traffic of our experiments.

The Tor client installed inRis configured by default. For this reason, the length of the built circuits is three. The percentage of disconnection reported byTorFlowis 12% (with an error margin of 8%).

According to [26], the reliability of the Tor circuits can be estimated as follows. Letl the length of the circuits (three nodes per circuit in our case). Letf the reliability of each node (88% as we have shown previously). The reliability of each circuit can be estimated asf^l. Thus, we can assume a 68% of reliability for each one of the Tor circuits that are used in our experiments.

We show in Figure4.1the results that we obtained during the execution of these four experiments.

Figure4.1ashows the execution of the tests tagged asDirect DNS testsandTorified DNS tests. Figure 4.1bdepicts the results of the tests tagged asDirect DNSSEC testsandTorified DNSSEC tests. Each group of tests is executed several times in order to generate different series of random queries from the set N. Each series is stored persistently during the execution of the firs set of tests (Direct DNS tests) and loaded in the rest of tests — with the aim of facilitating the comparison of results. On the first hand, we can appreciate by looking at the first curve of Figure4.1aand4.1bsome minor differences between the queries based on DNS and DNSSEC. On the other hand, each series of tests that belongs to the Torified DNSandTorified DNSSECexperiments is executed using different Tor circuits. As we described in Section4.4, the dynamic disconnections of nodes in the Tor network lead the creation of more circuits for each series. Consequently, the application inRwas forced to repeat the queries in some cases. These node disconnections are reflected in Figure4.1aand4.1bwith the worst times shown in the confidence intervals for each series. In spite of this, we would like to remark the fact that under such extreme cases the total times can be considered as acceptable. Moreover, all the queries were evaluated and resolved. We also consider that the impact of including DNSSEC with Tor is negligible, acceptable, and recommended, specially, if we take into account that it provides security properties such as integrity, authenticity and denial-of-existence. These properties are essential to detect and prevent Man-In-the-Middle attacks that could be perpetrated by Tor exit nodes. In that sense, we did not experience any alteration of the signatures related to the response records inN, and queried againstGthrough the Tor

10 20 30 40 50 60 70

20 30 40 50 60 70 80 90 100

Resolution Time (s)

Number of queries Latency of DNS tests

Direct DNS lookup Torified DNS lookup

(a)Direct vs. torified DNS tests

10 20 30 40 50 60 70

20 30 40 50 60 70 80 90 100

Resolution Time (s)

Number of queries Latency of DNSSEC tests

Direct DNSSEC lookup Torified DNSSEC lookup

(b)Direct vs. torified DNSSEC tests

Figure 4.1:Experimental results of the evaluation of the Tor model

network.

Motivated by the need of knowing the degree of anonymity that we should expect during the experiments, we adopted the same strategy presented in [17]. We estimated the anonymity degree by means of the probability distribution associated to the Tor nodes [50,122], and that we will formalise in Chapter5. LetN the total number of nodes in the Tor network. Letp(x_i)the probability that the nodexi is selected to be part of a circuit. We can calculate the degree of anonymity by means of the following metric based on the concept of entropy [125]:

H(N) =− X

x_i∈N

p(x_i)·log₂(p(x_i))

According to the previous expression, if each Tor node has the same probability of being included in a circuit, and the measured entropyH(N)is normalised by dividing bylog2(|N|), we will obtain the

maximum degree of anonymity 1. However, the algorithm for the construction of Tor circuits associates a higher probability to the nodes that exhibit better performance in terms of bandwidths, or up-times among others. Thus, we can not assume that the probability will be the same for each node. Using the toolTorFlow, we approximate the valueH(N) by grouping the general set of nodes in different categories according to their bandwidths, and by building several circuits associated to each category.

The estimated normalised entropy obtained is 0.89.

As we introduced in Section4.4, the security model of Tor presents certain vulnerabilities that could be exploited by an attacker with the aim of degrading the previous value. If the attacker controls an elevated number of nodes in the network, it can try to correlate information reported by entry and exit nodes that belong to the same circuit. Under such circumstances, the attacker could obtain the location (IP address) of the client that built the circuit, the destination (IP address) of the messages, and potentially the content of each message. The main goal of the attacker is then to guarantee that their nodes have a higher probability of being selected during the construction of the circuits. In accordance with the original developers of Tor [52], if an adversary controlsm > 1nodes from a total ofN, it could potentially correlate the traffic of the network with a probability of ^m_N²

. In [17], the authors show that by injecting false information in theDirectory Serversof Tor, it is possible to increment the selection probability associated to the nodes. In fact, the authors claim that the previous model should be replaced by ^m_{n m−1}

N−1

, arguing that this new model takes into account that a node is only used one time per circuit.

Using this second model, the authors present an experimental implementation of their proposal using a private Tor network deployed under PlanetLab [113]. The results that they obtained turned out to be seventy times better that the expected analytical values, being the number of controlled nodes from 5% to 10% of the total of the network. The same percentage of compromised nodes in the network used four our experiments would suppose that a hypothetical attacker controls from seventy to more than one hundred nodes. The analytical prediction from the proposed model would indicate that the number of potentially compromised circuits in this case would be between 0.21% and 0.67% of the total circuits of the Tor network. Assuming that the attack presented in [17] scales correctly in the network, and maintaining the improvement reported by the authors, we should consider that the degree of anonymity obtained from the network during our experiments would be, in the best case, close to a valueH(N)of 0.89 and, in the worst case assuming an attack like the one presented in [17], around 0.45.