Akshaya Mani

Muhammad Umar Janjua, Akshaya Mani, Uğur Şen et al.

Privacy and anonymity of validators, especially regarding IP address linkability, are essential to protect the Ethereum network from various attacks. Network-level attacks, such as DoS, can interrupt validators and affect the overall security of the Ethereum network. Correlating the IP addresses of validators with their identities, along with knowledge about their action slots can be exploited by attackers to cause network delays, MEV exploitation, and finality risks. Therefore, ensuring the unlinkability of a validator's IP and identity is crucial for maintaining the network's trust and resilience. In this techreport, we first provide a review of the existing network and consensus layer techniques that have been proposed for maintaining validator privacy in the Ethereum blockchain. Secondly, we evaluate a Tor-based protocol named Tor push that helps unlink validator identities (IDs) from their nodes' IP addresses, thereby making it difficult to determine any end-to-end correlation between validator IDs and IP addresses of validators' beacon nodes. To evaluate the effectiveness of Tor push, we present a working, deployed proof-of-concept (PoC) implementation in the Nimbus Ethereum client. Our PoC deployment pushes attestations, aggregations, and block proposals over Tor to the Goerli testnet. Furthermore, we also analyse the security and latency of Tor push. Our experimental results suggest that Tor can be incorporated into the existing Ethereum network with a tolerable latency overhead of 613.82 ms on average and without compromising the overall network performance while enhancing the location privacy of validators in the Ethereum network.

Akshaya Mani, T Wilson-Brown, Rob Jansen et al.

The Tor anonymity network is difficult to measure because, if not done carefully, measurements could risk the privacy (and potentially the safety) of the network's users. Recent work has proposed the use of differential privacy and secure aggregation techniques to safely measure Tor, and preliminary proof-of-concept prototype tools have been developed in order to demonstrate the utility of these techniques. In this work, we significantly enhance two such tools--PrivCount and Private Set-Union Cardinality--in order to support the safe exploration of new types of Tor usage behavior that have never before been measured. Using the enhanced tools, we conduct a detailed measurement study of Tor covering three major aspects of Tor usage: how many users connect to Tor and from where do they connect, with which destinations do users most frequently communicate, and how many onion services exist and how are they used. Our findings include that Tor has ~8 million daily users (a factor of four more than previously believed) while Tor user IPs turn over almost twice in a 4 day period. We also find that ~40% of the sites accessed over Tor have a torproject.org domain name, ~10% of the sites have an amazon.com domain name, and ~80% of the sites have a domain name that is included in the Alexa top 1 million sites list. Finally, we find that ~90% of lookups for onion addresses are invalid, and more than 90% of attempted connections to onion services fail.

Akshaya Mani, Tavish Vaidya, David Dworken et al.

Open proxies forward traffic on behalf of any Internet user. Listed on open proxy aggregator sites, they are often used to bypass geographic region restrictions or circumvent censorship. Open proxies sometimes also provide a weak form of anonymity by concealing the requestor's IP address. To better understand their behavior and performance, we conducted a comprehensive study of open proxies, encompassing more than 107,000 listed open proxies and 13M proxy requests over a 50 day period. While previous studies have focused on malicious open proxies' manipulation of HTML content to insert/modify ads, we provide a more broad study that examines the availability, success rates, diversity, and also (mis)behavior of proxies. Our results show that listed open proxies suffer poor availability--more than 92% of open proxies that appear on aggregator sites are unresponsive to proxy requests. Much more troubling, we find numerous examples of malicious open proxies in which HTML content is manipulated to mine cryptocurrency (that is, cryptojacking). We additionally detect TLS man-in-the-middle (MitM) attacks, and discover numerous instances in which binaries fetched through proxies were modified to include remote access trojans and other forms of malware. As a point of comparison, we conduct and discuss a similar measurement study of the behavior of Tor exit relays. We find no instances in which Tor relays performed TLS MitM or manipulated content, suggesting that Tor offers a far more reliable and safe form of proxied communication.