Towards A Stronger Peer-to-peer Anonymous System
Abstract
Anonymous communications systems on the Internet provides protection against
eavesdroppers and others that seek to link users with their communications. These systems
have many important applications in areas such as law enforcement, intelligence
gathering, business privacy, anonymous publishing, and personal privacy. Currently deployed
systems rely on a relatively small set of advertised servers to forward messages
for the user. These systems can suffer from scalability problems, with potentially large
bandwidth and system overhead costs, and the servers themselves can be targets of direct
attacks.
Peer-to-peer anonymous communications systems, such as Tarzan[1] and MorphMix
[2], have been proposed as a way to alleviate these problems with a large and
dynamic set of peers acting as servers. This makes direct attacks less effective and increases
scalability. Tarzan, however, requires that each peer know the identity of all
other peers, which makes it highly vulnerable to intersection attacks 2.7 and does not
scale beyond 10,000 nodes [2]. MorphMix does not have this requirement, but it requires that users allow other peers to choose the peers that will help forward the users
messages; attacker controlled peers will always select other colluding peers to be on the
path. Although the authors of MorphMix propose a collusion detection scheme, attackercontrolled
peers will be able to choose their colluding partners as forwarding nodes far
too often while the detection algorithm is still learning. The fundamental problem is one
of selecting peers independently at random, to ensure unbiased path selection, while not
distributing lists of all the peers in the system to all other peers.
We propose a new peer-to-peer anonymous communications system using distributed
hash tables (DHTs). Similar to peer-to-peer file-sharing systems that use
DHTs 2.9, our system maps each IP address to a point on the id space using consistent
hashing. We further divide the id space into groups, conceptually organized as a
binary tree for purposes of node lookup. Each node has knowledge of all the nodes in its
own group, as well as knowing a limited number of nodes in other groups. This knowledge
is enough to effectively route lookups throughout the system. Nodes use redundancy and
probabilistic checking when performing lookups to prevent malicious nodes from returning
false information without detection.
We show that our scheme prevents attackers from biasing path selection, while
incurring moderate overheads, as long as the fraction of malicious nodes is less than
20%. Additionally, the system prevents attackers from obtaining a snapshot of the entire
system until the number of attackers grows too large (e.g. 15% for 10000 peers and
256 groups). The number of groups can be used as a tunable parameter in the system,
depending on the number of peers, that can be used to balance performance and security.