08-17-2017, 12:27 AM
Seminar on Nymble: Anonymous IP-Address Blocking
[attachment=652]
Abstract
. Anonymizing networks such as Tor allow users to access Internet services
privately using a series of routers to hide the client s IP address from the
server. Tor s success, however, has been limited by users employing this anonymity
for abusive purposes, such as defacingWikipedia.Website administrators rely on IPaddress
blocking for disabling access to misbehaving users, but this is not practical
if the abuser routes through Tor. As a result, administrators block all Tor exit nodes,
denying anonymous access to honest and dishonest users alike.
Introduction
Anonymizing networks such as Crowds [25] and Tor [15] route traffic through independent
nodes in separate administrative domains to hide the originating IP address. Unfortunately,
misuse has limited the acceptance of deployed anonymizing networks. The anonymity provided
by such networks prevents website administrators from blacklisting individual malicious
users IP addresses; to thwart further abuse, they blacklist the entire anonymizing
network. Such measures eliminate malicious activity through anonymizing networks at the
cost of denying anonymous access to honest users. In other words, a few bad apples can
spoil the fun for all. (This has happened repeatedly with Tor.3).
Related Work
Anonymous credential systems such as Camenisch and Lysyanskaya s [7,8] use group signatures
for anonymous authentication, wherein individual users are anonymous among a
group of registered users. Non-revocable group signatures such as Ring signatures [26]
provide no accountability and thus do not satisfy our needs to protect servers from misbehaving
users. Basic group signatures [1,2,3,12] allow revocation of anonymity by no
one except the group manager. As only the group manager can revoke a user s anonymity,
servers have no way of linking signatures to previous ones and must query the group manager
for every signature; this lack of scalability makes it unsuitable for our goals. Traceable
signatures [18,30] allow the group manager to release a trapdoor that allows all signatures
generated by a particular user to be traced; such an approach does not provide the
backward anonymity that we desire, where a user s accesses before the complaint remain
anonymous. Specifically, if the server is interested in blocking only future accesses of bad
users, then such reduction of user anonymity is unnecessarily drastic. When a user makes
an anonymous connection the connection should remain anonymous. And misbehaving
users should be blocked from making further connections after a complaint.