On Mitigating Fingerprinting Internet Traffic Attacks: a Case Study on Oblivious DNS over HTTPS (ODoH) with eBPF

Website fingerprinting attacks exploit user privacy and expose them to unauthorized tracking, profiling, and exploitation of sensitive activities. Failing to mitigate these attacks risks data leaks, targeted attacks, and the erosion of trust in Internet security and anonymity services. Recently, academia and industry have proposed several solutions to address this problem. One of the most popular solutions to mitigate this problem is to carry DNS traffic over HTTPS connection (DoH). More recently, Oblivious DNS over HTTPS (ODoH) has been proposed to further mitigate website fingerprinting attacks. While HTTPS transmission of DNS queries via DoH ensures confidentiality, recent studies have shown that DNS resolver operators can still correlate queries with clients using IP addresses. This tracking breaches user privacy and can be exploited commercially. ODoH addresses this by incorporating a proxy and a target, ensuring that no observer knows both the client IP address and the DNS query. Machine learning algorithms able to intercept encrypted traffic between clients and proxies to execute website fingerprinting attacks with high accuracy have been recently proposed. Key factors influencing these attacks include packet size, the number of queries and responses, time intervals between packets, and transmission time. The objective of this thesis is to counteract these attacks by obfuscating the relevant features, ensuring consistent DNS traffic distribution across different websites. While DoH introduces latency compared to DNS over UDP, ODoH further increases this latency by adding intermediary layers. Therefore, we designed a method that can obfuscate effectively without exacerbating latency. We developed a TLS version that successfully counter fingerprint attacks. Our approach is based on purposeful use of dummy packets, packet fragmentation, and padding to produce a uniform appearance across all flows related to certain protocols. Without needing the sender and recipient to exchange keys or other information, this technique guarantees system security. With our solution, deployed at both the client and the proxy, an algorithm determines the optimal moments and methods for applying these features, making various ODoH flows indistinguishable from one another. This involves real-time analysis of ODoH parametric traffic distribution and updating parameters to mitigate manipulation effects. In order to further optimize performance we developed a prototype that employs the extended Berkeley Packet Filter (eBPF), an in-kernel virtual machine that allows sandboxed programs to run within the Linux kernel without modifying the kernel source code or loading kernel modules. Our eBPF-based solution, in particular, uses eXpress Data Path (XDP), to enhance efficiency by avoiding that padding and dummy packets are processed by the linux network stack.