Information Technology Reference
In-Depth Information
Without any sophisticated techniques, an adversary performing surveillance
on the outside of any of these devices would be able to reconstruct individual
TCP/IP connections, but would be unable to group those connections into user
sessions. The adversary would be forced to sessionize them manually. This would
involve evaluating the web content of every single connection and making a
best guess at which ones belong together. The problem is akin to accurately
assembling the pieces of many jigsaw puzzles jumbled together in one box.
The Link Chaining Attack (LCA) of this research aids the adversary by au-
tomatically organizing TCP connections into groups we call session fragments.
Fragments are formed by following HTML hyperlinks across multiple TCP con-
nections. These fragments are much larger than individual connections, and allow
the adversary to assemble sessions more quickly.
1.1
Related Work
The are three types of devices that pose increasing levels of diculty to the
problem of grouping trac into user sessions (mutually disjoint same-host sets).
1. NAT
2. Plain HTTP Proxy
3. Anonymizing HTTP Proxy
Although none are designed specifically for surveillance, existing techniques
[4] [5] can be used to sessionize trac collected from the outside of NATs and
plain HTTP proxies, but not anonymizing HTTP proxies. The LCA was designed
to operate under the strict conditions of anonymizing HTTP proxy. There is no
known existing technique for doing this. The following three sections will explain
why.
1.2
NAT
With NAT in place, a large number of private addresses are mapped to a small
number of public addresses (often just one), so all trac looks like it is coming
from a single host. When all communication is with the same IP, there is no
obvious way to differentiate the streams of trac generated by individual hosts.
Existing attacks like Bellovin's IPid technique [4] can be re-purposed to group
NATed web trac into user sessions. These attacks exploit the fact that most
NAT devices are configured to re-write only the IP address of packets. Other
fields are left untouched, passing through NAT unchanged from their originating
host. Bellovin traces the unchanged IPid field to reveal which packets come from
the same host.
1.3
Plain HTTP Proxy
Web proxies are middlemen that fulfill transactions on the client's behalf. With-
out a web proxy, HTTP clients talk directly to HTTP servers. With a web proxy,
