Ferris wheel: A ring based onion circuit for hidden services Hakem Beitollahi ⇑ , Geert Deconinck Katholieke Universiteit Leuven, Electrical Engineering Department, Kasteelpark Arenberg 10, Leuven, Belgium article info Article history: Received 28 July 2011 Received in revised form 10 January 2012 Accepted 11 January 2012 Available online 20 January 2012 Keywords: Hidden services Location hiding Anonymity Traffic analysis attack Privacy abstract The capability that a server can hide its location while offering various kinds of services to its clients is called hidden services or location-hiding. Almost previous low-latency anonymous communication sys- tems such as Tor, MorphMix, etc., that can be used to implement hidden services are vulnerable against end-to-end traffic analysis attack. This paper introduces Ferris wheel, a novel architecture for implement- ing hidden services which is robust against end-to-end traffic analysis attack. Moreover, our scheme is more robust against various traffic analysis attacks than previous low-latency anonymous communica- tion architectures. Ó 2012 Elsevier B.V. All rights reserved. 1. Introduction The capability that a server node can hide its location (IP ad- dress) while offering various kinds of services (e.g., web pages) to clients is called hidden services or location-hiding. Hidden services were introduced to resist distributed DoS attacks since these at- tacks depend on the knowledge of their victim’s IP addresses [1]. The idea is that a victim server distributes its services (e.g., web pages) among multiple overlay nodes such that any overlay node takes a fraction of the services. Then any overlay node that hosts the services secretly gives the services to the clients through the Ferris wheel architecture which we discuss it in this paper. An overlay node that hosts a fraction of the services of the victim ser- ver is called a proxy server. We call it, the hidden server through- out this paper. The second advantages of a hidden server is that a server that is accessible but hidden can resist a variety of threats (both physical and logical) simply because it cannot be found. Location-hiding has also been recommended for preserving the anonymity of the services which need to resist censorship such as for dissidents or journalists publishing information accessible from anywhere [2]. Again, the idea is that the pages that resist cen- sorship are scattered among several overlay nodes and then over- lay nodes anonymously provides services to clients through the Ferris wheel architecture. Most activities in anonymous communications offer sender and relationship anonymity (see Section 2). In fact, the complementary problem, hiding user identity, has been well studied since the early 1980s. However, recent years have provided little literature on hid- den services such as Tor [3]. In fact, although almost low-latency anonymous communication systems such as MorphMix [4], Tarzan [5], Freedom [6], Web MIXes [7] can be used to enable hidden ser- vices through the rendezvous point protocol, only Tor [3] has de- ployed hidden services. Tor deployed hidden services in early 2004. When Tor deployed these services, it claimed that it is strongly robust against non-global adversaries. After that time, several attacks [8–11] have been demonstrated against Tor and have challenged the claim of Tor. In Tor, the security of the hidden service is only as strong as the position of the last node (exit node) is compromised in the circuit. In fact, if an adversary could monitor traffic of the exit node, then it can find the location of the hidden service immediately. This is not only the problem of Tor, but the problem of all other anonymous communication systems [12,7,5,4] that are based on linear onion circuits. A linear (serial) onion circuit is a circuit that starts from an en- try node (entry onion router), continues through some cascade middle onion routers and closures in an exit node (exit onion rou- ter). The entry and exit nodes are called endpoints in these circuits (Fig. 1). The clients’ traffic enters the circuit at the entry node, routes through middle onion routers and finally reaches the exit node. The exit node delivers traffic to the destination (e.g., the hid- den server). Tor [3], MorphMix [4], Tarzan [5], Web MIXes [7], Freedom [6] are examples of linear onion circuits. Previous works [10,13] show that, upon compromising (e.g., hacking or eavesdropping) the entry and exit points of a linear cir- cuit, it is possible to compromise the anonymity of a connection via traffic analysis. This is well-known as an end-to-end traffic analysis 0140-3664/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2012.01.008 ⇑ Corresponding author. Tel.: +32 16321020. E-mail addresses: Hakem.Beitollahi@esat.kuleuven.be (H. Beitollahi), Geert.De- coninck@esat.kuleuven.be (G. Deconinck). Computer Communications 35 (2012) 829–841 Contents lists available at SciVerse ScienceDirect Computer Communications journal homepage: www.elsevier.com/locate/comcom