Your level of anonymity can be described as "how hard it is for someone to find out information you don't want them to know?" - who you are, where you are located, who you communicate with, or even when you communicate. "Perfect" anonymity is not a useful concept here - software will not make you indistinguishable from people that don't use computers or who are not on the Internet. Instead, we are working to provide sufficient anonymity to meet the real needs of whomever we can - from those simply browsing websites, to those exchanging data, to those fearful of discovery by powerful organizations or states.
The question of whether I2P provides sufficient anonymity for your particular needs is a hard one, but this page will hopefully assist in answering that question by exploring how I2P operates under various attacks so that you may decide whether it meets your needs.
We welcome further research and analysis on I2P's resistance to the threats described below. More review of existing literature (much of it focused on Tor) and original work focused on I2P is needed.
I2P builds off the ideas of many other systems, but a few key points should be kept in mind when reviewing related literature:
We have documented plans to implement nontrivial delays and batching strategies whose existence is only known to the particular hop or tunnel gateway that receives the message, allowing a mostly low latency mixnet to provide cover traffic for higher latency communication (e.g. email). However we are aware that significant delays are required to provide meaningful protection, and that implementation of such delays will be a significant challenge. It is not clear at this time whether we will actually implement these delay features.
In theory, routers along the message path may inject an arbitrary number of hops before forwarding the message to the next peer, though the current implementation does not.
I2P design started in 2003, not long after the advent of [Onion Routing], [Freenet], and [Tor]. Our design benefits substantially from the research published around that time. I2P uses several onion routing techniques, so we continue to benefit from the significant academic interest in Tor.
Taking from the attacks and analysis put forth in the anonymity literature (largely Traffic Analysis: Protocols, Attacks, Design Issues and Open Problems), the following briefly describes a wide variety of attacks as well as many of I2Ps defenses. We update this list to include new attacks as they are identified.
Included are some attacks that may be unique to I2P. We do not have good answers for all these attacks, however we continue to do research and improve our defenses.
In addition, many of these attacks are significantly easier than they should be, due to the modest size of the current network. While we are aware of some limitations that need to be addressed, I2P is designed to support hundreds of thousands, or millions, of participants. As we continue to spread the word and grow the network, these attacks will become much harder.
The network comparisons and "garlic" terminology pages may also be helpful to review.
A brute force attack can be mounted by a global passive or active adversary, watching all the messages pass between all of the nodes and attempting to correlate which message follows which path. Mounting this attack against I2P should be nontrivial, as all peers in the network are frequently sending messages (both end to end and network maintenance messages), plus an end to end message changes size and data along its path. In addition, the external adversary does not have access to the messages either, as inter-router communication is both encrypted and streamed (making two 1024 byte messages indistinguishable from one 2048 byte message).
However, a powerful attacker can use brute force to detect trends - if they can send 5GB to an I2P destination and monitor everyone's network connection, they can eliminate all peers who did not receive 5GB of data. Techniques to defeat this attack exist, but may be prohibitively expensive (see: Tarzan's mimics or constant rate traffic). Most users are not concerned with this attack, as the cost of mounting it are extreme (and often require illegal activity). However, the attack is still possible, for example by an observer at a large ISP or an Internet exchange point. Those who want to defend against it would want to take appropriate countermeasures, such as setting low bandwidth limits, and using unpublished or encrypted leasesets for eepsites. Other countermeasures, such as nontrivial delays and restricted routes, are not currently implemented.
As a partial defense against a single router or group of routers trying to route all the network's traffic, routers contain limits as to how many tunnels can be routed through a single peer. As the network grows, these limits are subject to further adjustment. Other mechanisms for peer rating, selection and avoidance are discussed on the peer selection page.
I2P's messages are unidirectional and do not necessarily imply that a reply will be sent. However, applications on top of I2P will most likely have recognizable patterns within the frequency of their messages - for instance, an HTTP request will be a small message with a large sequence of reply messages containing the HTTP response. Using this data as well as a broad view of the network topology, an attacker may be able to disqualify some links as being too slow to have passed the message along.
This sort of attack is powerful, but its applicability to I2P is non obvious, as the variation on message delays due to queuing, message processing, and throttling will often meet or exceed the time of passing a message along a single link - even when the attacker knows that a reply will be sent as soon as the message is received. There are some scenarios which will expose fairly automatic replies though - the streaming library does (with the SYN+ACK) as does the message mode of guaranteed delivery (with the DataMessage+DeliveryStatusMessage).
Without protocol scrubbing or higher latency, global active adversaries can gain substantial information. As such, people concerned with these attacks could increase the latency (using nontrivial delays or batching strategies), include protocol scrubbing, or other advanced tunnel routing techniques, but these are unimplemented in I2P.
References: Low-Resource Routing Attacks Against Anonymous Systems
Intersection attacks against low latency systems are extremely powerful - periodically make contact with the target and keep track of what peers are on the network. Over time, as node churn occurs the attacker will gain significant information about the target by simply intersecting the sets of peers that are online when a message successfully goes through. The cost of this attack is significant as the network grows, but may be feasible in some scenarios.
In summary, if an attacker is at both ends of your tunnel at the same time, he may be successful. I2P does not have a full defense to this for low latency communication. This is an inherent weakness of low-latency onion routing. Tor provides a similar disclaimer.
Partial defenses implemented in I2P:
In the future, it could for peers who can afford significant delays (per nontrivial delays and batching strategies). In addition, this is only relevant for destinations that other people know about - a private group whose destination is only known to trusted peers does not have to worry, as an adversary can't "ping" them to mount the attack.
Reference: One Cell Enough
There are a whole slew of denial of service attacks available against I2P, each with different costs and consequences:
Tagging attacks - modifying a message so that it can later be identified further along the path - are by themselves impossible in I2P, as messages passed through tunnels are signed. However, if an attacker is the inbound tunnel gateway as well as a participant further along in that tunnel, with collusion they can identify the fact that they are in the same tunnel (and prior to adding unique hop ids and other updates, colluding peers within the same tunnel can recognize that fact without any effort). An attacker in an outbound tunnel and any part of an inbound tunnel cannot collude however, as the tunnel encryption pads and modifies the data separately for the inbound and outbound tunnels. External attackers cannot do anything, as the links are encrypted and messages signed.
Partitioning attacks - finding ways to segregate (technically or analytically) the peers in a network - are important to keep in mind when dealing with a powerful adversary, since the size of the network plays a key role in determining your anonymity. Technical partitioning by cutting links between peers to create fragmented networks is addressed by I2P's built in network database, which maintains statistics about various peers so as to allow any existing connections to other fragmented sections to be exploited so as to heal the network. However, if the attacker does disconnect all links to uncontrolled peers, essentially isolating the target, no amount of network database healing will fix it. At that point, the only thing the router can hope to do is notice that a significant number of previously reliable peers have become unavailable and alert the client that it is temporarily disconnected (this detection code is not implemented at the moment).
Partitioning the network analytically by looking for differences in how routers and destinations behave and grouping them accordingly is also a very powerful attack. For instance, an attacker harvesting the network database will know when a particular destination has 5 inbound tunnels in their LeaseSet while others have only 2 or 3, allowing the adversary to potentially partition clients by the number of tunnels selected. Another partition is possible when dealing with the nontrivial delays and batching strategies, as the tunnel gateways and the particular hops with non-zero delays will likely stand out. However, this data is only exposed to those specific hops, so to partition effectively on that matter, the attacker would need to control a significant portion of the network (and still that would only be a probabilistic partition, as they wouldn't know which other tunnels or messages have those delays).
Also discussed on the network database page (bootstrap attack).
The predecessor attack is passively gathering statistics in an attempt to see what peers are 'close' to the destination by participating in their tunnels and keeping track of the previous or next hop (for outbound or inbound tunnels, respectively). Over time, using a perfectly random sample of peers and random ordering, an attacker would be able to see which peer shows up as 'closer' statistically more than the rest, and that peer would in turn be where the target is located.
I2P avoids this in four ways: first, the peers selected to participate in tunnels are not randomly sampled throughout the network - they are derived from the peer selection algorithm which breaks them into tiers. Second, with strict ordering of peers in a tunnel, the fact that a peer shows up more frequently does not mean they're the source. Third, with permuted tunnel length (not enabled by default) even 0 hop tunnels can provide plausible deniability as the occasional variation of the gateway will look like normal tunnels. Fourth, with restricted routes (unimplemented), only the peer with a restricted connection to the target will ever contact the target, while attackers will merely run into that gateway.
The current tunnel build method was specifically designed to combat the predecessor attack. See also the intersection attack.
References: http://prisms.cs.umass.edu/brian/pubs/wright.tissec.2008.pdf which is an update to the 2004 predecessor attack paper http://prisms.cs.umass.edu/brian/pubs/wright-tissec.pdf.
"Harvesting" means compiling a list of users running I2P. It can be used for legal attacks and to help other attacks by simply running a peer, seeing who it connects to, and harvesting whatever references to other peers it can find.
I2P itself is not designed with effective defenses against this attack, since there is the distributed network database containing just this information. The following factors make the attack somewhat harder in practice:
In the future, routers could use GeoIP to identify if they are in a particular country where identification as an I2P node would be risky. In that case, the router could automatically enable hidden mode, or enact other restricted route methods.
By inspecting the traffic into and out of a router, a malicious ISP or state-level firewall could identify that a computer is running I2P. As discussed above, I2P is not specifically designed to hide that a computer is running I2P. However, several design decisions made in the design of the transport layer and protocols make it somewhat difficult to identify I2P traffic:
Reference: Breaking and Improving Protocol Obfuscation
Sybil describes a category of attacks where the adversary creates arbitrarily large numbers of colluding nodes and uses the increased numbers to help mounting other attacks. For instance, if an attacker is in a network where peers are selected randomly and they want an 80% chance to be one of those peers, they simply create five times the number of nodes that are in the network and roll the dice. When identity is free, Sybil can be a very potent technique for a powerful adversary. The primary technique to address this is simply to make identity 'non free' - Tarzan (among others) uses the fact that IP addresses are limited, while IIP used HashCash to 'charge' for creating a new identity. We currently have not implemented any particular technique to address Sybil, but do include placeholder certificates in the router's and destination's data structures which can contain a HashCash certificate of appropriate value when necessary (or some other certificate proving scarcity).
Requiring HashCash Certificates in various places has two major problems:
Various limitations on the number of routers in a given IP range restrict the vulnerability to attackers that don't have the ability to put machines in several IP blocks. However, this is not a meaningful defense against a powerful adversary.
See the network database page for more Sybil discussion.
(Reference: In Search of an Anonymouns and Secure Lookup Section 5.2)
By refusing to accept or forward tunnel build requests, except to a colluding peer, a router could ensure that a tunnel is formed wholly from its set of colluding routers. The chances of success are enhanced if there is a large number of colluding routers, i.e. a Sybil attack. This is somewhat mitigated by our peer profiling methods used to monitor the performance of peers. However, this is a powerful attack as the number of routers approaches f = 0.2, or 20% malicious nodes, as specifed in the paper. The malicous routers could also maintain connections to the target router and provide excellent forwarding bandwidth for traffic over those connections, in an attempt to manipulate the profiles managed by the target and appear attractive. Further research and defenses may be necessary.
We use strong cryptography with long keys, and we assume the security of the industry-standard cryptographic primitives used in I2P, as documented on the low-level cryptography page. Security features include the immediate detection of altered messages along the path, the inability to decrypt messages not addressed to you, and defense against man-in-the-middle attacks. The key sizes chosen in 2003 were quite conservative at the time, and are still longer than those used in other anonymity networks. We don't think the current key lengths are our biggest weakness, especially for traditional, non-state-level adversaries; bugs and the small size of the network are much more worrisome. Of course, all cryptographic algorithms eventually become obsolete due to the advent of faster processors, cryptographic research, and advancements in methods such as rainbow tables, clusters of video game hardware, etc. Unfortunately, I2P was not designed with easy mechanisms to lengthen keys or change shared secret values while maintaining backward compatibility.
Upgrading the various data structures and protocols to support longer keys will have to be tackled eventually, and this will be a major undertaking, just as it will be for others. Hopefully, through careful planning, we can minimize the disruption, and implement mechanisms to make it easier for future transitions.
In the future, several I2P protocols and data structures support securely padding messages to arbitrary sizes, so messages could be made constant size or garlic messages could be modified randomly so that some cloves appear to contain more subcloves than they actually do. At the moment, however, garlic, tunnel, and end to end messages include simple random padding.
In addition to the floodfill DOS attacks described above, floodfill routers are uniquely positioned to learn about network participants, due to their role in the netDb, and the high frequency of communication with those participants. This is somewhat mitigated because floodfill routers only manage a portion of the total keyspace, and the keyspace rotates daily, as explained on the network database page. The specific mechanisms by which routers communicate with floodfills have been carefully designed. However, these threats should be studied further. The specific potential threats and corresponding defenses are a topic for future research.
A hostile user may attempt to harm the network by creating one or more floodfill routers and crafting them to offer bad, slow, or no responses. Several scenarios are discussed on the network database page.
There are a few centralized or limited resources (some inside I2P, some not) that could be attacked or used as a vector for attacks. The absence of jrandom starting November 2007, followed by the loss of the i2p.net hosting service in January 2008, highlighted numerous centralized resources in the development and operation of the I2P network, most of which are now distributed. Attacks on externally-reachable resources mainly affect the ability of new users to find us, not the operation of the network itself.
These attacks aren't directly on the network, but instead go after its development team by either introducing legal hurdles on anyone contributing to the development of the software, or by using whatever means are available to get the developers to subvert the software. Traditional technical measures cannot defeat these attacks, and if someone threatened the life or livelihood of a developer (or even just issuing a court order along with a gag order, under threat of prison), we would have a big problem.
However, two techniques help defend against these attacks:
Try as we might, most nontrivial applications include errors in the design or implementation, and I2P is no exception. There may be bugs that could be exploited to attack the anonymity or security of the communication running over I2P in unexpected ways. To help withstand attacks against the design or protocols in use, we publish all designs and documentation and solicit review and criticism with the hope that many eyes will improve the system. We do not believe in security through obscurity.
In addition, the code is being treated the same way, with little aversion towards reworking or throwing out something that isn't meeting the needs of the software system (including ease of modification). Documentation for the design and implementation of the network and the software components are an essential part of security, as without them it is unlikely that developers would be willing to spend the time to learn the software enough to identify shortcomings and bugs.
Our software is likely, in particular, to contain bugs related to denial of service through out-of-memory errors (OOMs), cross-site-scripting (XSS) issues in the router console, and other vulnerabilities to non-standard inputs via the various protocols.
I2P is still a small network with a small development community and almost no interest from academic or research groups. Therefore we lack the analysis that other anonymity networks may have received. We continue to recruit people to get involved and help.
To some extent, I2P could be enhanced to avoid peers operating at IP addresses listed in a blocklist. Several blocklists are commonly available in standard formats, listing anti-P2P organizations, potential state-level adversaries, and others.
To the extent that active peers actually do show up in the actual blocklist, blocking by only a subset of peers would tend to segment the network, exacerbate reachability problems, and decrease overall reliability. Therefore we would want to agree on a particular blocklist and enable it by default.
Blocklists are only a part (perhaps a small part) of an array of defenses against maliciousness. In large part the profiling system does a good job of measuring router behavior so that we don't need to trust anything in netDb. However there is more that can be done. For each of the areas in the list above there are improvements we can make in detecting badness.
If a blocklist is hosted at a central location with automatic updates the network is vulnerable to a central resource attack. Automatic subscription to a list gives the list provider the power to shut the i2p network down. Completely.
Currently, a default blocklist is distributed with our software, listing only the IPs of past DOS sources. There is no automatic update mechanism. Should a particular IP range implement serious attacks on the I2P network, we would have to ask people to update their blocklist manually through out-of-band mechanisms such as forums, blogs, etc.
{% endblock %}