De-anonymizing I2P users
Understanding a threat is key in choosing appropriate counteractions to take.
In my opinion I2P is a bit more interesting than Tor since in theory I2P should be more difficult to attack than Tor. In reality Tor has a larger community and has been reviewed and inspected more than I2P.
This is part of a white-paper I wrote on tracing users in an "anonymous" DHT network. For the following attack on I2P users the attacker will use multiple nodes and it's assumed the attacker has no previous idea who or where the victim is.
Attacking I2P users
The attackers router A keeps a fixed location in keyspace and router B moves closer to the source with every intercepted insert or request by the victim.
The attackers routers will have to wait until they are the final hop of an inbound or outbound tunnel of the victim's insert of a lease set before they will be able to determine a closer location of the victim's source in order to track eepsites. When running I2P-Bote an attacker can log and trace insert's and request's for a Bote ID. The attacker can recognize if a final hop was in the path of a victim since it will show a lease-set that can be associated with the victim's eepsite or Bote key.
Only 1 out of 3 times the attacker participates in the correct tunnel will it become the last hop since average tunnels are 3 hops.
Becoming the final hop in a request's or insert's tunnel is necessary to recognize a destination and requires very high connectivity as the attackers chances of being part of a tunnel are lower the further away in keyspace the attacker is.
By using "floodfill routers" for this attack on eepsites the required time will be reduced greatly since the attacker will be able to intercept newly inserted or requested lease sets
By intercepting new lease set inserts to the netBD the attacker will be able to move significantly closer in the network before needing to worry about being the final hop in a tunnel. Only after the attacker has narrowed the victims keyspace down to a small enough area will he have to eventually become part of every hop in a relevant tunnel to be sure that the victim is located at a certain keyspace and IP.
I am not trying to bash I2P at all
By explaining how I2P can be attacked I hope I can point out how safe it actually is and convince more users to join the network. I2P works on desktops, servers and Android devices. Take a look if you are interested. https://geti2p.net
Bottom line: I think I2p is pretty hard to attack.
Very interesting article. Have you already contacted the I2P developers about this issue?
Thank you. I think the I2P devs are well aware of this threat, but I will post a link to this article in the I2P forum. The I2P threat models are described in great detail here: https://geti2p.net/en/docs/how/threat-model
I had to write this article for myself to understand what it would take to de-anonymize an I2P user. At first it was all very confusing to me, but after I finally got my head wrapped around it I felt more confident about the security of the I2P network.
Good idea. If possible, could you please also provide a link to the complete white-paper?
Since you asked I was finally motivated to go over the whole paper again and fix the typos and such. :) This is no expert advice but it might help other newcomers as myself. https://steemit.com/security/@camb/how-to-trace-a-source-s-ip-in-anonymous-dht-networks-a-simple-essay
Excellent idea @camb. Keep up the good work!