memory-based dos and deanonymization attacks on tor

Memory-based DoS and Deanonymization Attacks on Tor

DCAPS SeminarOctober 11th, 2013

Rob JansenU.S. Naval Research [email protected]

*Joint with Aaron Johnson, Florian Tschorsch, Björn Scheuermann

The Tor Anonymity Network

torproject.org

How Tor Works

How Tor Works

Tor protocol aware

Tor Flow Control

exitentry

Tor Flow Control

One TCP Connection Between Each Relay,

Multiple Circuits

exitentry

Tor Flow Control

One TCP Connection Between Each Relay,

Multiple Circuits

Multiple Application Streams

exitentry

Tor Flow Control

No end-to-end TCP!

exitentry

Tor Flow Control

Tor protocol aware

exitentry

Tor Flow Control

Packaging End

DeliveryEnd

exitentry

Tor Flow Control

1000 Cell Limit

SENDME Signal Every 100 Cells

exitentry

Outline

● The Sniper Attack– Low-cost memory consumption attack that disables

arbitrary Tor relays

● Deanonymizing Hidden Services– Using DoS attacks for deanonymization

● Countermeasures

The Sniper Attack

Start Download

Request

exitentry

The Sniper Attack

Reply

DATAexitentry

The Sniper AttackPackage and Relay DATA

DATA

DATAexitentry

The Sniper Attack

DATA

DATA

Stop Reading from Connection

DATA

Rexitentry

The Sniper Attack

DATADATADATADATADATADATA

Rexitentry

Flow Window Closed

The Sniper Attack

DATA

Periodically Send SENDME SENDME

R

DATADATADATADATADATA

exitentry

The Sniper Attack

DATA

DATA


Periodically Send SENDME SENDME

R


exitentry

Flow Window Opened

The Sniper Attack

DATA

DATA


R


exitentry

DATADATADATADATADATADATADATADATADATADATA

Out of Memory, Killed by OS

The Sniper Attack

DATA

DATA


R


exitentry

DATADATADATADATADATADATADATADATADATADATA

Use Tor to Hide

Memory Consumed over Time

Mean RAM Consumed, 50 Relays

Mean BW Consumed, 50 Relays

Speed of Sniper Attack

Direct AnonymousRelay Groups Select % 1 GiB 8 GiB 1 GiB 8 GiBTop Guard 1.7

Top 5 Guards 6.5

Top 20 Guards 19

Top Exit 3.2

Top 5 Exits 13

Top 20 Exits 35

Path Selection Probability ≈ Network Capacity

Speed of Sniper Attack

Direct AnonymousRelay Groups Select % 1 GiB 8 GiB 1 GiB 8 GiBTop Guard 1.7 0:01 0:18 0:02 0:14

Top 5 Guards 6.5 0:08 1:03 0:12 1:37

Top 20 Guards 19 0:45 5:58 1:07 8:56

Top Exit 3.2 0:01 0:08 0:01 0:12

Top 5 Exits 13 0:05 0:37 0:07 0:57

Top 20 Exits 35 0:29 3:50 0:44 5:52

Time (hours:minutes) to Consume RAM

Outline




● Countermeasures

Hidden Services

HS

User wants to hide service

Hidden Services

entry IP

HS chooses and publishes

introduction point IP

HS

Hidden Services

entry IP

HS

Learns about HS on web

entry

Hidden Services

entry IP

HS

Builds Circuit to Chosen Rendezvous

Point RP

RP

entry

Hidden Services

entry IP

HS

Notifies HS of RP through IP

RP

entry

RP

entry

Hidden Services

entry IP

HS

RP

RP

entry

Hidden Services

entry IP

HS

Build New Circuit to

RP

RP

entry

RP

entry

Hidden Services

entry IP

HS

Communicate!

RP

entry

RP

entry

Deanonymizing Hidden Services

HS

RP

entry


HS

RP

Also runs a guard relay

entry


entry

HS

RP

RP

Build New Circuit to

RP

entry


entry

HS

RP

RP S&P 2006, S&P 2013

entry


entry

HS

RP

RP S&P 2013

PADDING

Send 50 Padding

Cells

entry


entry

HS

RP

RP

Identify HS entry if cell count = 52

S&P 2013

entry


entry

HS

RP

Sniper Attack,or any other DoS

entry


HS

RP

Choose new Entry Guard

entry


HS

RP

RP

entry


HS

RP

RP S&P 2006, S&P 2013

entry


HS

RP

RP

Send 50 Padding

Cells

S&P 2013

PADDING

entry


HS

RP

RP

Identify HS if cell count = 53

S&P 2013

Outline




● Countermeasures

Countermeasures

● Sniper Attack Defenses– Authenticated SENDMEs– Queue Length Limit– Adaptive Circuit Killer

● Deanonymization Defenses– Entry-guard Rate-limiting– Middle Guards

Questions?

cs.umn.edu/[email protected]

think like an adversary

Speed of Deanonymization

Guard BW(MiB/s)

Guard Probability

(%)Average # Rounds

Average # Sniped

Average Time (h)

1 GiB

Average Time (h)

8 GiB8.41 0.48 66 133 46 279

16.65 0.97 39 79 23 149

31.65 1.9 24 48 13 84

66.04 3.8 13 26 6 44

96.61 5.4 9 19 5 31

1 GiB/s Relay Can Deanonymize HS in

about a day

Circuit Killer Defense

The Sniper Attack

exitentry

exit entry

Single Adversary

The Sniper Attack

exitentry

exit entry

Anonymous Tunnel

The Sniper Attack

exitentry

exit entry

The Sniper Attack

exitentry

exit entry

DATADATA DATA

DATA

The Sniper Attack

exitentry

exit entry

DATADATA DATA

DATA

R

The Sniper Attack

exitentry

exit entry

DATADATA DATA

R

Flow Window Closed

The Sniper Attack

exitentry

exit entry

DATADATA DATA

R

R

The Sniper Attack

exitentry

exit entry

DATADATA

R

R

DATADATADATADATA

The Sniper Attack

exitentry

exit entry

DATADATA

R

R

DATADATADATA

Killed by OS

DATA

memory-based dos and deanonymization attacks on tor

Documents

orghow tor works

gib8 gib1 gib8 gibtop

time hours

deanonymization attacks

tcp connection

guards19top exit3

time mean ram

fy08fy10 memorybased